Security Awareness Training

Posted on by Shobhit Mehta

๐€๐ฅ๐ฅ ๐ž๐ฆ๐ฉ๐ฅ๐จ๐ฒ๐ž๐ž๐ฌ ๐ฆ๐ฎ๐ฌ๐ญ ๐œ๐จ๐ฆ๐ฉ๐ฅ๐ž๐ญ๐ž ๐ญ๐ก๐ž ๐ฌ๐ž๐œ๐ฎ๐ซ๐ข๐ญ๐ฒ ๐š๐ฐ๐š๐ซ๐ž๐ง๐ž๐ฌ๐ฌ ๐ญ๐ซ๐š๐ข๐ง๐ข๐ง๐  ๐ฐ๐ข๐ญ๐ก๐ข๐ง ๐Ÿ‘๐ŸŽ ๐๐š๐ฒ๐ฌ ๐จ๐Ÿ ๐จ๐ง๐›๐จ๐š๐ซ๐๐ข๐ง๐  ๐š๐ง๐ ๐š๐ง๐ง๐ฎ๐š๐ฅ๐ฅ๐ฒ ๐ญ๐ก๐ž๐ซ๐ž๐š๐Ÿ๐ญ๐ž๐ซ.
Sound familiar?

Despite being a hard requirement and many organizations spending thousands of dollars on implementing the Learning Management System (LMS), tracking completion rates, and sometimes enforcing sanctions for not completing the training – this has always been a point of discussion that are these trainings truly effective or just a checkbox activity?

The problem with the default security training that comes with the LMS is they don’t address the unique risk profile for the organization (same training for healthcare, fintech, insuretech, etc.), are hardly ever updated with the latest content and often outdated (does your security awareness training speak to the AI policies of your org?), and lacks guidance on available tools and resources for future actions (whom to reach out to notify of a phishing email, what is the distribution list for InfoSec team, is sensitive information allowed to be shared or on this communication tool), etc. Ultimately, these security awareness trainings become a checkbox activity for employees leading to no behavioral change or added knowledge.

When I joined Headspace, the first project I did was to partner with Joey Po Yi Wu and revamp the security awareness training. By revamping, I don’t mean onboarding a new LMS or buying a new SCORM file and uploading it to the LMS, but building the entire 40-page security awareness deck from scratch.

Over the years, my colleagues Bryan Wong and Sarra McLeod took over the training and made it an extraordinary mini-course covering everything from the legal entities of Headspace, a summary of offered products, AI security guidelines, best practices for securing sensitive information, which systems are approved for storing such information, etc. The team did such an amazing job that Headspace’s InfoSec team won an award for “Best Authored Security Training”.

This project turned out to be the most cost-effective but impactful activity we undertook to cultivate the culture of security awareness.

So, next time you’re considering a new LMS or buying a SCORM file, ask yourself – could you build a security awareness program tailored to your organizationโ€™s unique risk profile and needs rather than just buying off-the-shelf content?

Leave a Reply