Cybersecurity Training Should Not Stink

A colleague recently tried to be polite about Pythia Cyber's willingness to help organizations overhaul their annual mandatory company-wide cybersecurity training. She was polite but persistent in her questioning the wisdom of this move. Her comments became ever sharper though.

• Such training is usually a fig leaf for insurance reasons,
• Nobody takes it seriously.
• It doesn't accomplish anything.
• All such training I have ever had has been boring and useless and even a little condescending.

I agreed that all of the observations were usually true. So then she tried a different tack: why is Pythia Cyber's training any different?

This was a very useful question. Our training is different because our goal is to improve cybersecurity rather than checking bureaucratic boxes. Instead of the scolding tone and the list of dumb things to avoid doing, we use the NIST CSF to frame enlisting your people in the cybersecurity cause.

We recommend that you start by surveying your people to find out what technology they need in order to their jobs. In theory the Identify step of your robust and rigorous Cybersecurity Program (CSP) already has all of their answers in its master list, but it never hurts to ask. For example, the LAN is one such digital asset that almost everyone can grasp.

Once you know what they are motivated to protect, you give them a targeted version of the policies which you created as part of your Protect step of your CSP. This should be short enough for them to read but not dumbed down. Condescending to people is an ineffective teaching tool. Instead this should be a list of the main threats with the appropriate counter-measure you want them to take. For example, keeping malware off of the LAN is a goal most people should be able to grasp, even if the way to do this is to avoid suspicious emails and clicking on things in emails even if those emails are not suspicious.

Believe it or not, the rank-and-file can help with the Detect step of your CSP by reporting anything odd, especially performance issues. Routine tasks running very slowly? That bears looking into. Routine tasks running with sudden blinding speed? Also suspicious.

The best way the rank-and-file can help with the Respond step to an incident is by being aware that such things exist in general and that there was an incident in particular. Your company-wide communications will be more effective if people understand the context better. Don't say "don't print anything on the 3rd floor printer until further notice." Instead say "We are responding to a potential cyber incident. Part of that response is taking the 3rd floor printer off-line immediately. We hope to have the printer back in service by the end of business tomorow."

The best was the rank-and-file can help with Recover step is to validate what you have recovered, since they often know better than you do how things are supposed to look But in order to be helpful they have to know that their help is needed. Use them as makes sense. There is short-term gain in validation and long-term gain in having colleagues who are engaged and committed to better cybersecurity over being simply compliant with their mandatory annual training.

If you are going to go to the trouble of having mandatory annual cybersecurity training for the masses, then go a little farther and make is meaningful.