At RSA conference last week I did a joint session entitled ‘Training Employees to Recognize and Avoid Advanced Threat’
An interesting issue was raised by a member of the audience on whether organisations should use a carrot or a stick to encourage their employees to attend cyber security training. I guess it really depends on the organisation itself. Some verticals might get away with the stick approach if it is strictly written into employment contracts etc. but the reality is that it would be really difficult to implement.
I think the carrot is a much stronger and positive approach. Cybersecurity training must be appealing to employees and be sold to them as cybersecurity training for their families, friends and communities. We all need to work together to fight the adversaries and any knowledge or training given to us on cybersecurity from our work environment and shared with our families and friends would surely benefit everyone.
So, I think the carrot wins every time. And the only way to achieve this approach is to step out of the box on what this training should look like like. Ask people around you what’s wrong with training today and you will hear words like not relevant, boring, all about compliance, death by Powerpoint and many more. Time to move on folks and embrace the ‘fun’ side of cybertraining like gaming software that makes cybertraining fun and interesting but also provides some real metrics so that you can measure your employees ability to retain and practice what they learn. You can also tailor the content to help employees who may need additional training.
In the meantime, probably 80% of all organisations will continue to do the annual tick box training and wonder why the message isn’t resonating. We must embrace new approaches if we are to overcome the biggest vulnerability – our employees. The carrot wins hands down for me…