Featured image of post Your security trainings are shit

Your security trainings are shit

Here's how you can improve them

I’m sorry

Corporate information security trainings are crap. They are.

If you’ve never endured that dull pixelated video where a voice actor coming right out of Dora The Explorer condescendingly tells you to check the link before clicking, congratulations to you. May we all be so lucky.

Analysing the mediocrity

Let’s put weekly fake phishing campaigns aside for a second. Corporate security trainings usually come in one of these forms:

  • Video followed up by a quiz
  • In person training sessions
  • Instant messaging conversations with bots (on Slack or Teams)

Let’s unpack this.

Think back to when you were 10 years old at school, what engaged you the most? Was it the dull teacher who droned on monotonously for ages? Or was it the physical education sessions where you could do something for a change? Was it the teacher who told vibrant stories? Or was it the dry math textbook that barely had a drawing underneath the Pythagorean theorem? Was it the subject you excelled at or the one you despised?

I think you get my point.

Reasons

Corporate security trainings are crap for two reasons.

Your attendees don’t give a damn about security

Just accept it.

Do you care about the intricacies of how SEO is affecting the cost of customer acquisition? Do you care about your company’s contribution margin ratio? I’m willing to bet you don’t. In fact, I’d argue you probably shouldn’t care, because you’re human, and humans have a finite ability to handle information, and that added cognitive load will kill you.

You’re not making any effort to engage them

Good grief!

Training videos or shiny AI-powered conversation bots may look enticing to the overwhelmed security professional you are, but they lack something crucial: human touch. People care about other people, about their place in the group, about human stories of success and failure. Apps can’t provide that.

Alright, I’ll talk to them myself.

That’s better. But, if you’re inviting people to a meeting where you read OWASP’s Top 10 lists, and condescendingly explain an SQL injection, you’re only guaranteed two things:

  1. bringing back memories of endless, monotonous, boring lectures from their school days
  2. damaging your credibility in the organisation.

Good job mate.

So, now what?

Doing better

I’ve run countless security awareness training sessions in my life. The first ones were crap. But I’ve iterated on them, improved the content and style.

Avoid the automated training platforms

If you’ve read this section, you’ll understand why. Meetings work best, not recordings of previous meetings, mind you.

The automated platforms might help you with your compliance though. If that’s important to you, keep the videos, but make them short and sweet.

Focus on raising awareness, not transmitting information

You’re not their teacher. You’re not preparing them for an exam. You’ve got an hour with them, what amount of information could you possibly pass on?

Don’t fight a losing battle, focus on what’s important: getting them to be aware of the security implications of their work. Their work is their responsibility, and people usually want to do a good job. If you can get them to be aware of the security implications within their scopes of responsibility, your battle is won.

Tell them why

Admit it. Tell them why they’re here.

Tell them the contract your company just signed includes this:

Vendor shall require all personnel to participate in information security training and awareness sessions at least annually, and track completion of training for all personnel.

Tell them your compliance auditor is checking whether you’ve properly complied with

Personnel […] and relevant interested parties shall receive appropriate information security awareness, education and training […] as relevant for their job function.

They’re adults, they’ll understand. Be vulnerable, it’s alright.

Tell a story of a relevant security incident

I’ll say it again, people care about other people’s stories of success and failure. They don’t care about the abstract concept of “security”.

So tell them a riveting story about how people and organisations were affected by a cyberattack. I like to tell Uber’s 2022 breach, and MGM’s 2023 breach stories. I very briefly go over the technical details, and focus on the human element.

While these incidents can be very interesting, press stories about giant far away corporations can feel alien to people. Nothing will be as eye opening as a security incident your own company has encountered. Be transparent, share the story, the impact and the learnings. They will ask many more questions about your shared story, than about what happened to a random mega corp.

Ask for their stories

While you may know more about security than most people in that room, you’re likely not the most interesting person there. Engage your crowd! Pick a moment in your presentation to pause, and ask for your coworkers’ own security stories, personal or professional. A dialogue is always more enjoyable than a monologue.

Engage them with games

Remember that your goal is raising awareness, in other words, getting them to think about security. So do just that: make them think about security!

One of my favourite games I try to play during training sessions is the “let me guess your password” game. I ask 10 yes or no questions; each person counts the total number of “yes” answers they had. The lower the score, the better! People can then compare their answers and get a sense of how an attacker would design a dictionary attack. If you told them that Yellow-2013 is a bad password, after this game, they’ll understand why!

Make the lecture part as short as possible

You will inevitably have some tips to provide. That’s to be expected from a security training.

Try to associate each recommendation to a story you told during the session, so they can see the reasoning behind it. But, please, I beg you, keep it short. Don’t bore people with too many details.

Keep it fresh

These trainings are supposed to be recurring. Some of your attendees will have already had this same session 6 or 12 months ago. Do take the time to update your presentation with new stories, different takes or new focus topics.

People don’t want to watch the same show twice. Yes, you are putting on a show.

Ask for their feedback

You work in security. You’re in it, all day, every day. Your opinion does not matter here. Theirs does.

Ask for feedback so you can learn how to improve. Anonymous questionnaires work best so they can let it all out.

It doesn’t have to be a pain

When all security measures fail, your coworkers will be the last line standing between your org and an incident. Raising awareness is important work. You have to get it right.

However, not all of us are equipped to handle speaking engagements like this. That’s okay. Find someone on your team who is, then prepare them for this; you will reap the rewards. I know I have.