7 Ways to Transform Your Cybersecurity Training and Influence Lasting Change

July 5, 2022 | Cybersecurity & CISO Insights | 8 min read


The importance of privacy and safety cannot be overstated in this digital age. So much of our business infrastructure relies upon digital technology. This makes the technology, and the data it contains, a constant target for hackers and other malicious actors. As a result, robust cybersecurity training is imperative for businesses that want to keep their insights, data, intellectual property, and additional proprietary information safe and secure.

For many, one of the answers to the problem has been cybersecurity awareness programs. The traditional approach is a mandated one-off training session where employees read information and answer questions, but given the growing cost of data breaches and cyber crime, IT and security experts are coming to the realization that they must refine how they train their workforce to effectively combat threats.

Traditional cybersecurity awareness can be impersonal and does little to engage the learner beyond being an employee at your company. If the goal is to win hearts and minds, formal awareness training can fall short and often doesn’t inspire people to care.

One of the problems is that many organizations provide awareness training to satisfy minimum compliance requirements, not to educate their employees. As a result, security and awareness programs don’t always lead to the result IT leadership expects.

To add to that frustration, employees often see IT security as a team to avoid; as enforcers when they need to be seen as educators. Meanwhile, scammers and hackers don't ever stop learning.

A strong security culture depends on ongoing education. With a continued investment in education, it's possible to build a transformative training program that influences lasting change. Here are 7 ways to help capture hearts and minds, engage your workforce and protect your organization from a potentially damaging breach.

1. Awareness vs. Understanding

Being aware of risk doesn't automatically protect you from it. So, simply making your employees aware of risks doesn’t go far enough — it's causing panic and could lead to sloppy decision-making. Instead, you must ensure your employees can identify risks and either avoid them or understand how to mitigate any potential damage.

What's needed is an authentic, people-centered approach that includes a multi-year strategy that contains buy-in from stakeholders and communities across your entire enterprise. Target communities that are at greatest risk and give them the support they need.

Broaden your security efforts by expanding education throughout your organization. Cybersecurity training is for everyone and should be incorporated into onboarding and annual review cycles. When you empower your non-IT security teams, you create allies that members of the security team can rely on to drive organizational initiatives and affect cultural change.

Subscribe to the Skillsoft Blog

We will email when we make a new post in your interest area.

Select which topics to subscribe to:

2. Don't be afraid to play

Using humor and fun to educate learners about a serious message is effective when done correctly. For example, rethink the staid workshop in favor of an escape room, develop fun educational videos produced in a social media style that could replace boring instructional ones, or use a gamified context to teach employees how to deal with security risks effectively.

Innovative experiential learning involving storytelling and roleplaying strategies can help you hit your metrics for success while encouraging ownership and accountability in an engaging way. A proactive security team can't be shy about adding a little humor to address a serious topic.

3. Focus on the learner

Scientific research is pretty clear on what people need to feel engaged in a learning experience: relevance, meaning, and emotion. Therefore, your training should focus on the learner as a person, not just as an employee within your organization.

If your training is to inspire lasting change, people need to see themselves in the content, not just hooded hackers. Therefore, messaging and content must be diverse and inclusive. People also don't necessarily like being told what to do and how to act, but people like being helpful and proactive in protecting their teammates, friends, and loved ones.

So, ensure your training includes education about security matters relevant to their lives inside and outside work to drive home what's at risk and broaden the conversation.

4. Leverage technology & brain science

Structure training to maximize retention. Training should break down into short bursts of learning experienced through an engaging presentation of information, practice opportunities, and evaluation. Strategies, including practical examples, case studies, video scenarios, animation, narration, and interactive quizzes, can help maximize engagement and retention.

People are also responsive to semi-competitive social proof techniques. Allowing employees to compare their performance against their peers often influences them to do better if they are falling short.

Always keep in mind that technology can sometimes be a barrier as well. Work closely with your security team and stakeholders to ensure no tech limitations are holding back change.

5. Repeat, repeat, repeat

Humans do not have unlimited memory space, and when there is no active attempt to retain information, it is lost over time. In addition, people forget at different rates, so it's important to reinforce key messages frequently.

Giving employees the occasion to repeat courses or training, especially given the ever-changing nature of technology and threats from attackers, helps build solid skills and keep them strong.

6. Education vs. punishment

IT security teams must be on the front lines, helping the rest of the organization understand their part in changing the security culture. However, if other business units are nervous about approaching the security team it may pose a challenge to security assurance.

Make sure your security team is comfortable with being an enabler, leads with empathy, and reflects well on your entire security program. If your team lacks these human-centric skills, you might want to provide coaching to help them learn.

7. Use Learning technology you can trust

Skillsoft leverages technology and learning science to help you build a first-class, engaging cybersecurity career journey that will benefit your whole organization.

Our Cybersecurity Career Journey is filled with expert content to accelerate the on-the-job application of new skills through a fully integrated experience, including live, on-demand, and hands-on learning.

Learn more about the program today.