Skip to content ↓ | Skip to navigation ↓

One of the basic security measures that every company should be taking is giving security awareness training to its employees. This is part of Critical Security Control 9. CSC 9-3 says:

“Implement an online security awareness program that (1) focuses only on the methods commonly used in intrusions that can be blocked through individual action, (2) is delivered in short online modules convenient for employees (3) is updated frequently (at least annually) to represent the latest attack techniques, (4) is mandated for completion by all employees at least annually, and (5) is reliably monitored for employee completion.”

So I wasn’t the least bit surprised a few years ago when my team of security researchers was asked to take security awareness training. But, it did seem funny that this group, the most security aware people I know, were taking the same training as the HR team.

Not that I think they minded that much, as the online training quickly became a game of how could you hack the online training to give you a passing score without having to sit through an hour of videos (hint: although you may not be able to comprehend 15 videos playing simultaneously on your screen, it does substantially reduce how long it takes to watch 15 videos).

This does seem to be a common issue, though, and so I think it is valuable to give some options to the security pros in your organization. There is an opportunity to turn what is for them an annoying waste of an hour into something productive and valuable to the business. Here are a few ideas for implementing this control:

Give an “Advanced Option” as Part of Awareness Training

Anyone that really knows their stuff with security would probably opt to learn something useful instead of rehash what they already know. I recently made a technical report about how large organizations implement vulnerability management mandatory reading for one of my teams.

That probably took about as much time to read as an online awareness training class would take, but for this group I’d say it is far more valuable to educate them on one particularly relevant area of security, rather than cover the basics again. An advanced option could come from the same training system as your basic class, or it could be as simple as an instruction to watch a webinar or read a new report on an area of security.

Offer a Security Project in Lieu of training

For the security pros, your organization will probably get more out of them if they do something for security instead taking a class. We do brown bag trainings at our office, so if someone is willing to spend an hour teaching others about an area of security they are an expert at, why not let that fulfill their awareness duty for the year?

Or how about an assignment to design some posters reminding people of key security basics and put them up? If a security pro is willing to spend the time to do something to increase awareness for the organization, let them do it!

Turn Security Awareness into Continuing Security Education

The 20 CSC suggest reiterating training with updates annually, but many organizations have a tendency to repeat the exact same regimen every year. What about creating a program in your organization that encourages and offers continuing education around security for your employees, instead of simply repeating the same training options?

Those with professional certifications in security, like a CISSP, know that Continuing Professional Education credits are required to stay certified. That does not mean they need to go back over the original certification materials.

Whether you have the budget to offer external training opportunities to employees, or spend time creating a simple internal system of training credits, giving security pros the option to be exempt from awareness training as long as they have completed some security education in the previous time period makes sense.

Some small tweaks like this can make your security pros a little more appreciative of their company’s own policies, while benefiting the company at the same time – a cheap win-win.

So the next time that reminder goes out to your employees that they need to complete the annual security awareness training, spend a few minutes thinking about how you can make your pros happy while keeping them educated instead.


Related Articles:



picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service  for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology.


picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].


Title image courtesy of ShutterStock

Tripwire University
  • Amos Skeetow

    Great thoughts on keeping security awareness training fresh and relevant.

  • Absolutely true. Each organization is different. However, you can capitalize on existing general awareness content by using a condensed version of it for IT Staff, but in live workshops. I start with a fun "icebreaker exercise" that gives a hands-on, low tech demonstration of how opening an infected email from a privileged account can cost the organization a lot more than if it's opened in a non-privileged account. That gives them something unexpected, and gets them engaged. Then, I say, "I know you folks already know the basics, but for the sake of compliance requirements, we'll do a quick run through the general topics, and you can comment on your experiences with users." This gives them more chances to engage with comments. Then, a special section more relevant to IT Staff risks like browsing from privileged accounts or server systems, spotting unauthorized hardware and software, and a couple of case studies on recent publicized breaches. Or, you can discuss an internal incident, if it's approved and the staff can be trusted not to discuss in public (or Chatham House Rules). This can all be done in 90 minutes, in groups of up to 30 or so staff at a time. It's worth doing these sessions live for many reasons, if possible.

    Lesson Learned: It can be very painful/expensive to update/modify general programs that are based on Learning Management Systems, especially ones that are video based. For the IT Staff, you don't need that much static content, and the live discussions are much more memorable.

    • I think that is a great approach to take. Engaging and informative.