As with anything else in your organization, the way to ensure a job gets done properly is to educate the people that need to do the jobs. In other words, training is integral to any program.
We’ve all been through the annual awareness training, where we sit and listen to, or read, the information on the screen and pay enough attention to click through the test if there is one. Your participation can then be checked off, but did you really learn anything?
Role-specific training can be helpful as a way to make a more lasting impression. Ask developers to take specific security-related training for the language and platform they code on, and provide different training for your customer-facing people. Employees that handle sensitive data like employee data and payment data need specific and focused training to understand their importance in the bigger security posture.
Follow up training with actual tests and exercises to give employees the practice they need. Tabletop exercises and real-life scenario-based tests are great; the more everyone practices, the better their performance during an actual event.
All employees should have a goal in their annual review to cover security topics such as being able to properly identify an event and report it to the right authorities, and which steps they are required to perform in the name of good security.
Interested in learning more? Download our new brief, The Common Sense Approach to Cybersecurity.