Recently I had a conversation with the CIO of a midsize law firm that had recently lost quite a bit of work product (and one of its biggest clients along with it) to ransomware because an equity shareholder had fallen victim to spear phishing. He was looking for alternatives to his current cyber security awareness training provider.
He said: “I see security awareness training as being critical to prevent this from happening again,” and noted that his current vendor’s training “was clearly not effective.”
I asked him to outline what their current program looked like. Turns out the program was not really a program at all—it was simply that each user went through approximately an hour of online security awareness training with a focus on social engineering, passwords, and secure mobile work habits. When I asked him about additional elements that a more robust program might have (e.g., phishing assessments, monthly emails, a security help desk, security walk-arounds, security-sponsored Lunch & Learns, security awareness posters, mid-year training refreshes, etc.), he advised me that he didn’t have the budget for those types of activities, and that he had to fight senior management to move the program from three online episodes to four based on the cost associated with lost productivity.
He was surprised when I told him that he likely didn’t need a new security awareness training vendor—what he needed was a change in his program. I also told him a change in his program would send a very different message to the firm’s employees.
What the Structure of Your Security Awareness Training Program Tells Your Employees
Let’s put his program in perspective. There are 2,080 hours in an average working year, yet the firm was only willing to invest 1 of those hours on security awareness training (0.048% of the employees’ time). The firm’s revenue is approximately $100 million, yet the firm was only willing to invest about $6,000 per year in security awareness training (0.006%).
Does that demonstrate to employees that security awareness training is critical to protecting the firm’s interests? Or that it is critical to retaining key clients?
Clearly not. It tells employees that it’s not really that important, that it’s probably something they have to do for compliance reasons, and/or a key customer insisted they do it each year, so that’s what they do.
How does that compare with other messages they are getting for other “business-critical” issues like new client acquisition? How much is budgeted there? What percentage of key personnel’s time is spent on this activity? I guarantee it is greater than 0.048%.
Given these divergent messages, why are we surprised our employees are not invested in security awareness training?
The story ends with some good news, some bad news, and some promising news:
- Good news: The CIO gained support to migrate from “security awareness training” to a “security awareness program” with phishing, monthly security emails, and quarterly Lunch & Learns.
- Bad news: My argument was so compelling that he decided to stay with their current security awareness training vendor for another year :>( .
- Promising news: We may have lost the battle, but we might end up winning the war :>) … looks like we are going to help prepare the firm for ISO 27001 certification.