As we kick off a new year, this is a good time to reevaluate how we look at our cybersecurity programs, and key components that need to be considered.
* The first key component is to understand your audience. Not all employees are created equal. You need to look at how the company is structured. How is the technical team structured? How is the executive team structured? Each different group is going to have potentially different needs.
Once you’ve identified the target groups, you need to do a skill-level assessment. This doesn’t have to be formalized, but you need to assess what level of cybersecurity knowledge each of those different groups possesses.
* The second major element is setting training objectives. One objective might be generally increasing the awareness of the importance of cybersecurity across the whole organization.
Another might be increasing the secure coding skill of the development team.
Once you’ve set your training objectives, you’ll want to think about how to develop skills. If your goal is to broaden the sense of cybersecurity’s importance, then you’re going to want to train employees on how to identify phishing, or create secure passwords or ensure safe internet browsing. If you’re aiming for secure code development, then it’s about identifying the key languages your organization develops code in and giving developers the basics of secure coding for those languages.
Another component of training objectives is regularly familiarizing employees with the organization’s cybersecurity policies and procedures. That would include reviewing and updating an acceptable use policy if one exists, and spelling out who to contact in the event of a security issue or incident.
* Major element No. 3 is curriculum development. I find that training modules are more effective than all-day training sessions. You can modulize topics like phishing, malware, password protection, secure coding for a certain language, data and privacy laws, and safe browsing habits, and do updates on a monthly or quarterly basis. You’ll want to include real-world examples in these modules to illustrate what the common threats are and how they can impact an organization. You can draw either from your organization’s own experience or that of a competitor or other industry member. To give people practical experience, follow up with interactive elements like a quiz or a simulation.
* Method of delivery is your fourth major component. If your organization is geographically dispersed, then online training will be the way to go. If not, then you can opt for in-person workshops with a chance for interactive questions. The content has to be updated regularly as threats to the organization change. You can’t recycle something from four years ago and expect it to still be relevant.
* The next major element is implementation. As you’re planning into the year, set the cadence and what the rollout will look like. Some elements, like general awareness training, should have mandatory participation for all employees. Secure code development should be mandatory for developers operating in a specific language. Link to any supporting materials so they have modules or presentations to refer back to.
* And finally, set up a mechanism for post-training evaluation and feedback so you can use that for continuous improvement. Consider incentives and recognition for people who complete the training.
In the long term, you’ll want to revisit your cybersecurity program each year, and update as necessary for compliance or legal or industry standards. Good tracking and reporting will be essential to the program’s success.