11/12/2018 5 Steps to Building a Cyber-Aware Staff - InfoSec Institute, Inc.

5 Steps to Building a Cyber-Aware

Sta
Category: Best Practices, Security Awareness Training
October 10, 2018

Virtually every organization faces cybersecurity threats carrying signi cant nancial, legal and
reputational consequences. The bad news is many of these threats cannot be detected, let alone
prevented, by even the best IT professionals and technical controls. The good news is this doesn’t mean
you have zero options to keep your organization safe from cyber attacks. It only means you can’t do it
alone.

Preventing cybersecurity attacks at your organization takes more than technical e orts. It requires a
cyber-aware sta and a culture of security awareness to keep your organization safe. The biggest
question is: How can you build a cyber-aware sta ?

We recently explored this question with Pete Just, CTO of Metropolitan School District of Wayne
Township in Indiana, to learn his ve-step process for building a cyber-aware sta . Here’s what we
learned.

Step 1: Do IT Right

Before building security awareness into the culture of your organization, you must lay the IT
groundwork. Focus on reducing risk exposure, meeting compliance standards and installing the
technical controls to set your sta up for success.

Why does it matter?

You rely on your sta to take cybersecurity seriously and engage in your security awareness program
but your sta relies on you to implement the security infrastructure to help them succeed. Think about
your risk, needs and obstacles to achieving your goals and match your IT accordingly.

Step 2: Get Buy-In

You know how important cybersecurity awareness is and so should the leaders of your organization.
Getting buy-in from leaders within your organization will help you capture the cross-departmental
support you need to make security awareness part of your organization’s culture.

How can you do it?

Involve more than just your IT team when planning your security awareness program. Make sure all
leaders understand your goals and ask for suggestions. By including leaders throughout the
organization, you can build a security awareness campaign that works for everyone and recruit
ambassadors for your program along the way.

https://www.infosecinstitute.com/blog/5-steps-to-building-a-cyber-aware-staff/ 1/3
11/12/2018 5 Steps to Building a Cyber-Aware Staff - InfoSec Institute, Inc.

Step 3: Personalize Learning Paths


Everyone learns through di erent methods, at di erent paces and from di erent starting points. The
only way to make security awareness stick is to personalize training to each employees’ role and
security aptitude. This allows you to identify individual knowledge gaps and educate sta accordingly.

What works best?

The best way to personalize learning paths is to construct a one-to-one campaign including security
awareness training, phishing simulations and individual assessments. By using these tools in a
personalized campaign, you can measure the security aptitude of each employee and automatically
tailor training to address their knowledge gaps. You can use this same data to gauge the e ectiveness
of your security awareness training program over time.

Step 4: Engage Sta & Empower Mentors

Recruiting and training security champions is an e ective way to create a culture of security at your
organization. Security champions act as ambassadors of your training program and can have greater
success in uencing the behavior of their peers than management or computer-based training alone.

What’s the best strategy?

Find people outside of the IT department who are excited about security. These are sta members who
quickly adopt security best practices and can serve as a technical resource for their coworkers outside
of your IT team. You can even incentivize training for security champions to build an even stronger
network of peer in uencers.

Step 5: Promote & Measure

A successful awareness training program starts with an engaged sta . Engage the entire organization in
training — from the summer intern to the CEO. Promote your security awareness e orts, measure the
success of your campaign and turn security awareness into a team e ort.

What can you do?

Hang posters to reinforce security awareness training, display leaderboards to promote friendly
competition or even run contests to reward the most engaged or most improved members of your
organization.

Building a secure infrastructure requires a cyber-aware sta prepared to handle threats that slip
through your technical controls. At InfoSec Institute, we know it can be challenging to address the
human element of cybersecurity. That’s why we built SecurityIQ, a solution designed to engage and
motivate all learners to care about cybersecurity, improve their security habits and report suspicious
activity. SecurityIQ integrates phishing simulations with interactive security awareness training to
deliver security coaching personalized to each employee’s role, security aptitude and learning style.

Request Demo

T
https://www.infosecinstitute.com/blog/5-steps-to-building-a-cyber-aware-staff/ 2/3
 T
11/12/2018 5 Steps to Building a Cyber-Aware Staff - InfoSec Institute, Inc.

 Author
Tyler Schultz

Privacy & Cancellation Policies

©2018 InfoSec Institute, Inc. - InfoSec Institute, the InfoSec Institute logo, SecurityIQ, the SecurityIQ logo, PhishSim, PhishNotify,
PhishDefender, AwareEd and SkillSet are trademarks of InfoSec Institute, Inc.

GIAC® is a registered trademark of the SANS Institute. PMP is a registered trademark of the Project Management Institute, Inc. ITIL®
and IT Infrastructure Library® are registered trademarks of AXELOS Limited. The Swirl logo™ is a trademark of AXELOS Limited.
InfoSec has no a liation with Red Hat, Inc. The Red Hat trademark is used for identi cation purposes only and is not intended to
indicate a liation with or approval by Red Hat, Inc. All other trademarks are the property of their respective owners.

https://www.infosecinstitute.com/blog/5-steps-to-building-a-cyber-aware-staff/ 3/3