Before we get into the interplay between vendor risk assessment and security awareness training, let's get one thing out of the way right here at the top. There are bona fide, important, practical reasons why you absolutely should be doing security awareness training for your team regardless of whether a vendor risk assessment ever asks you to do so. It's a smart move either way.
However, as a company that specializes in working with founding teams, we know that sometimes an early-stage venture hits a growth stride so quickly that the forcing function (a vendor risk assessment) arrives faster than the intuitive thought of "we should probably be doing some security awareness training" -- and we certainly empathize with founders in that situation.
Here's what you need to know about the modern way to quickly, cost-effectively, and painlessly implement security awareness training.
Security Awareness Training in 2021
There has been a fortunate and helpful change in the way that leading companies handle security awareness training -- and it's good for both the employees and the ownership group on every dimension. Here's the modern way to run your security training:
1. On-Demand
If you've been involved in technology companies over any timespan more than the past few years, you'll remember the pain of being involved in mandatory training sessions that were at a particular date and time. These types of training force impossible decisions, such as a manager who suddenly finds out that there is a sensitive personnel issue that needs to be addressed, but yet the mandatory training session is minutes away. Or the employee who has an emergency at home and they feel like they are in a no-win situation of choosing between urgent obligations on both the work and home fronts.
Candidly, the strong trend towards on-demand training is one of the best things that has ever happened to security awareness training, because it creates the opportunity for every employee to participate at a time where they know that they can give the topic their best attention and effort. And that's a win for all involved.
2. Online
This one is literal (we sure hope your training is conducted online), but also has some underlying assumptions that we want to surface. A good online training system for security awareness trainin (and other training too) includes the following items:
- Audit Logging: a trail of evidence that keeps track of which employee took what training, and when. Employee names, training session title, and timestamp, are a good start.
- Reminder Orchestration: if you are going to transition to online training, you should certainly make sure that you choose a system that handles the reminder sequence for alerting employees of an impending deadline for completing training. Without you having to manually send reminders.
Put simply, when we say "online" we're not just saying to drop a training session onto a file share and ask employees to download/view it. Although that's technically "online" it misses the point.
3. Digital-First
Here's a big one -- and it's meant to address an anti-pattern head-on. In order to fully grasp the point, travel back in time to a time/place when a CTO of an early-stage company is presenting a hand-crafted 20 slide presentation to the team... about information security.
Here's where the mistake happens.
Some companies that need to graduate to more repeatable security awareness training start by having that same presenter record the same session they've always done, using a screencast or video recording.
Please don't.
Digital-first training is training that was designed for on-screen consumption - with interactive graphics and interstitial quizzes. It's not the same as taking training that was designed for in-person presentation and simply recording it.
Wrapping Up
Ready to advance to On-Demand, Online, Digital-First security awareness training? We're here to help. And you can be up-and-running with a teamwide invite to security awareness training as quickly as 10 minutes from now, by creating a free trial account here.