Beat IT Misery. Transform Your IT With NinjaOne
The NinjaOne automated endpoint management platform is proven to increase productivity, reduce security risk, and lower costs for IT teams and managed service providers. NinjaOne is obsessed with customer success and provides free and unlimited onboarding, training, and support.
Educating the Workforce About Cybersecurity
As cyber threats grow more sophisticated and pervasive, educating employees at all levels about cybersecurity risks and preventative measures is now an essential task that cybersecurity teams need to factor into their scope and workload.
Delivering training to colleagues who are not day-to-day cybersecurity professionals is one of the more complex tasks a cybersecurity professional must deal with, for one simple reason: nobody has yet come up with a singular, reliable, foolproof way to educate everyone in the art and science of remaining cyber secure. This is no surprise, as there is no “right” way to educate people: everyone learns things differently, and in any organization, there will be the need to teach different people, in different departments and at different levels of seniority, different things – and probably in different ways.
One thing is certain, though: if we are to succeed in passing along education from cybersecurity professionals to the rest of the organization, we need to do more than just tell people to be secure and give them contextless, wordy policies to read. We need to help them understand what cybersecurity means and why it matters; and as well as knowing what controls they need to abide by, they need to understand why they need to abide by them. In short, education needs to support a cultural change as well as a knowledge exchange.
Engagement is the key word: if people “get it” and care about security, you have a fighting chance of arming them with the knowledge and understanding they need to be secure.
The Traditional Education Approach
Cybersecurity education within organizations has traditionally involved telling people things. It’s a conventional approach that some well-respected people have questioned as to its effectiveness. Swiss psychologist Jean Piaget was of the view (albeit not a terribly inclusive one, gender-wise) that: “The principal goal of education is to create men who are capable of doing new things, not simply repeating what other generations have done”. One-time U.S. Secretary of Health, Education, and Welfare John W. Gardner was of the view that: “All too often we are giving young people cut flowers when we should be teaching them to grow their own plants”. And 18th Century Scottish philosopher James Beattie said that: “The aim of education should be to teach us rather how to think, than what to think”. The moral is: let people think and encourage them to do so in the context of cybersecurity, and you stand a better-than-average chance of them understanding how to be security-focused of their own accord.
This does not mean we should abandon all the tools we have traditionally used for cybersecurity education: this would be a step too far and would require us to invent far too many new concepts. However, if we can bring some thinking into what we do, that is a step forward. We will look at five ways we can make cybersecurity education within organizations more interactive and less “telling” – altogether more engaging.
Make It Relevant to the People You Are Educating
The biggest gasp I ever heard in a cybersecurity training class was in my consulting days: I flashed up a photo on the big screen and made the entire back row sit up straight in unison. The photo was of a company truck with the driver’s door open and a laptop on the driver’s seat, with the driver nowhere to be seen. The back row was made up of a group of other staff, all of whom had company vans, and all of whom instantly wore the look that said: “That could have been me”. Of course, I hid the license plate to protect the individual’s identity: everyone knew who had which truck and the point was not to name-and-shame!
So be brave: trust people to keep stories to themselves and use scenarios that are relevant to your organization. If you are fortunate enough not to have many real examples to reference, then widen the net to your industry or your locality – try to use something that the people you are educating will relate to and thus can become personally invested in.
Try “What If” Scenarios
Face-to-face sessions bring the benefit of interaction. You have the chance to ask questions rather than just telling people things, so it is important to make the most of that opportunity. Put a scenario on the board and ask people what they would do to deal with it. Dredge your memory – or Google’s – for interesting situations where there was a difficult decision to make. Play a ransomware scenario, for example, and ask whether disconnecting the file server would be the right thing to do; ask them to decide between pulling the plug and giving the IT team more time to trace the problem. Bring in the legal team (if you have one) and get them to question the group on whether paying the ransom is wise or even legal.
Any cybersecurity professional who has been in the industry for any amount of time will inevitably have been in situations where a decision had to be made that had no right answer – for Star Trek fans, think of it as the Kobayashi Maru exercise. Putting the audience in the same position in a classroom environment will be fun for you and them, but importantly it will promote empathy for the cybersecurity team in the event of a no-win decision having to be made in a real scenario.
Use Feedback Mechanisms as a Back-Up for Interaction
This concept follows on quite neatly from the previous one: although being with people in the same room is a gateway to two-way communication, there is a potential problem: much of the time you will have more feedback than time.
Use this to your advantage: if you can use the extra material to keep the audience interacting with you hours or days after the end of the classroom session, that is a tremendous sign that they are interested and engaged. Tools like Slido – which enable you to queue the questions coming in from the audience – are a tremendous bonus, and when you must call time on the session, you can deal with any left-over questions afterwards and prolong the engagement. There is no harm in taking it a step further: perhaps set up a Teams channel or the equivalent into which people can throw any questions they like, at any time. Also, do not be too quick to answer questions – provoke discussion where relevant by responding with: “OK everyone, what do you think?”.
Do Not Overestimate Your Audience
Particularly when speaking to senior management, it is very easy to assume that they know more than they really do. Always remember that the majority of senior management are not cybersecurity specialists: they are accountants, sales specialists, marketing experts etc.
While the tone of what you say to senior management will probably differ from the tone you use when speaking to other parts of the business, resist the temptation to be over-technical, because you will lose the room in an instant. More than once, I have been thanked by senior managers for telling them something simple, because they were uncomfortable about asking what they assumed everyone else already knew.
Also, avoid the mistake of asking questions to which you do not have an answer. We have talked about interaction, asking questions and inviting ideas, but each topic should be closed with an answer: that answer may have come from the audience, but in case it does not, you should have one in your back pocket. At the highest level, they want you to tell them the problem, but what they really want you to tell them is the answer – as we said, do not over-estimate them and expect them to come up with some potential solutions to the problems they pay you to solve.
And Finally…
The fifth point is that the four concepts above work best in face-to-face cybersecurity training sessions. Use software to deliver cybersecurity education, carry out phishing tests and the like, but there really is no substitute for in-person training as well. While it can be costly (particularly if you engage external trainers for specialist topics) and time-consuming, if you do it well the value is tremendous.
Related Insights