Tags:
Last week I started a new series in security awareness training on how to communicate your awareness program. Even once you identify the most effective security awareness topics for your organization, you will not have an impact unless you effectively communicate those topics. Last week I broke down security awareness communication into two categories, primary and reinforcemnt.
Today I would like to focus on primary. The purpose of primary
training is two fold. The first is to communicate your program to new
hires, contractors or other individuals who are not security aware and
do not know company policies. The goal is to make sure everyone is on
the same baseline (kind of like basic training in the military). This
is often an annual program. In addition the tracking of primary
training is often required for compliance purposes, to demonstrate to
auditors that everyone is trained. In general the two most common
methods for primary training are
On Site Workshops: This is when organizations provide
onsite training, usually an instructor led presentation. Training is
usually one to three hours long. The advantages of onsite training is
it can minimize costs and if you have knowledgable, dynamic speakers it
can be one of the most effective means to communicate. There is nothing
more exciting then having a highly interactive presentation that gets
both speaker and audience working together. The problem is On-Site
Workshops do not scale well. If you have 5,000 or even 50,000 employees
spread out around the world who will do all the speaking, how will you
coordinate getting all these people into rooms at certain times, and do
you have the facilities? In addition, you either need dedicated
speakers who travel around the world, or you have multiple speakers in
multiple locations. The challenge then becomes having high quality
instructors that can communicate a consistent message. If you have the
resources for onsite workshops, it can be one of the most effective
means for primary training. The challenge is usually one of scale.
Online Computer Based Training (CBT): While CBT cannot
create the interactive environment that an onsite workshop can, its
greatest advantage is that it allows organizations to scale. Employees
can take the training when they want, even from home. This ensures you
can reach more people, and since the training is online you can easily
track who took what training when (important for compliance). In
addition it is simpler to ensure you communicate a consistent message to
everyone, you can even translate the content so that message is
communicated to employees in their native language. You also do not
have to worry about locations or facilities, as you no longer have to
physically bring speakers and end users together. Interestingly enough,
three organization I have worked with in the past six months have also
taken the extra step of making their CBT training available to employee
families.
Each method has its advantages and disadvantages, which approach is
right depends on your organization and your requirements. I have seen
some organizations use a combined approach, where onsite workshops are
used, but then online training is provided for employees who want to
take it again or missed the onsite.