By: Larry Kinkaid
As we head into the new year, you might be thinking about your organization’s security and compliance goals. What will you be doing differently? What will remain the same? What do you need for continued success?
Let’s start with security awareness training.
According to the 2023 Verizon Data Breach Investigations Report (DBIR), 74% of data breaches involve a human element. Because of this risk, effective security awareness training is essential for all organizations. Even if you’re already requiring a standard security training for your employees, it’s important to update your training program regularly. Using specific techniques, such as tailoring your training to each employee’s specific role and responsibilities, can make security awareness training more engaging and effective.
Let’s look at how to implement a role-based security awareness training program at your organization this year so all your associates know their specific responsibilities and understand their roles in maintaining security and compliance.
Role-based security awareness training is exactly what it sounds like. Since employees have unique responsibilities and interact with different systems and data in their specific roles, they need to know different things about security. Simply educating a DevOps engineer on how to identify social engineering attacks isn’t enough—they should also know how to apply security in each aspect of their day-to-day jobs.
So, how should organizations determine which roles need specific training? The first step is to identify any sensitive information within your organization. Next, identify the roles that interact with that sensitive information to help you determine who will need tailored or specific security training.
For many organizations, compliance requirements are an easy place to begin this process. While security training should never be a check-the-box exercise, compliance can help guide role-based security training. For example, if your organization processes, transmits, or stores protected health information, it must comply with HIPAA. Determine who interacts with that data and ensure they are trained to understand how to appropriately handle data under HIPAA.
Everyone who works from a computer and has an email account should undergo basic security training. Other specific roles to consider include:
Some organizations may have employees who don’t use a computer for work and may not require basic IT security training. For those employees, figure out what IT exposure they do have, and give them a one-pager outlining expectations and responsibilities. For example, a night janitor doesn’t need to undergo OWASP training. Still, they should have a basic understanding of other security risks, such as what to do when another employee leaves their work laptop unattended overnight and requirements for physical security at the organization’s facilities.
There are plenty of tools to help organizations implement role-based security training to varying degrees of cost and effectiveness. BARR’s partner Curricula has a free, basic security awareness training available to organizations of all sizes and several more specific training episodes that can be used for role-based training such as privacy and HIPAA training.
Role-based security awareness training doesn’t need to be an expensive investment or tedious task for your employees. It can be as simple as starting a book club for developers to discuss educational resources on secure development. At a minimum, employees should receive training appropriate to their role upon hire and annually thereafter. The goal is to be engaging and effective, not dull and time-consuming.
Once role-based security training is implemented, how does your organization know if it’s successful? There are a few metrics for measuring the success of a training program, including the number of people who completed their training and the time it takes for an employee to complete the training after onboarding.
Organizations can also measure the increase in security reports. When employees report security issues or phishing emails, it shows the organization that security training is working.
Finally, security teams should also solicit feedback from their employees. Did they enjoy the training and feel empowered by it? How could it be improved? Real-time feedback can help leadership determine any necessary changes to security awareness training.
Role-based security awareness training can be more effective than forcing all employees to undergo the same lengthy, boring training. At BARR, our cybersecurity consulting team can help you create an engaging security awareness training program tailored to your organization.
Let’s take a look at some of the benefits organizations can expect after implementing role-based security training.
Interested in learning more about how BARR’s consulting team can help your organization implement role-based security awareness training? Speak with a BARR specialist today.
Larry Kinkaid
Manager, Cybersecurity Consulting
As manager of BARR’s cybersecurity consulting team, Larry plans and executes various engagements including readiness assessments, policy and procedure documentation, vendor risk management assessments, and external audit assistance.
Larry is an experienced consulting professional with a history of working in IT governance, risk, and compliance for large companies. He maintains the CISA and CRISC certifications to fortify his reputation as an IT professional in audit and risk. Larry graduated from Bowling Green State University with a Bachelor of Science in Business Administration, Information Systems Auditing and Control, and Management Information Systems.