Why do some organizations often use two or more security awareness training solutions at once?
That’s a question that grabbed our attention when it popped up on social recently. The comment highlighted the following cyber security oddity…
Increasing numbers of organizations today are investing in some form of “innovative” security training designed to reduce human cyber risk by improving security behaviors.
But the same organizations often invest in a second form of security awareness training software, too.
The second form is quite different from the first. It’s far from innovative or engaging. Instead, it’s dated. Dry. Dull, even. Plus, it’s unconcerned with reducing human cyber risk. Instead, it’s designed predominantly to help companies achieve compliance.
What makes that so odd? Well, if the innovative, risk-reducing solutions actually reduce human cyber risk, shouldn’t they help with compliance by definition?
And, if so, why do organisations today still bother running both forms of training?
The obvious (but wrong) answer
At first, the above seems easy to answer: Regulators must have it wrong. Presumably, the regulators are asking organizations to do the wrong things.
But that’s simply not the case. Boiled down, regulators simply want organizations to make a serious effort to manage human cyber risk.
And that’s exactly what innovative, risk-reducing solutions do.
So why do compliance-only solutions remain so prominent? The answer lies in security awareness training history. Even as early as 2017, solutions that demonstrably changed behaviour and truly reduced human cyber risk were rare.
Cyber crime wasn’t exactly new. But the market was behind the times. Breaches of Equifax magnitude were making headlines. Organizations wanted to arm their people with security training. Regulators were encouraging the same thing. So organizations relied on their existing Learning Management System (LMS) vendors for support.
The LMS vendors were comfortable with designing compliance-focused training platforms and solutions. They already offered things like Health and Safety and Anti-money Laundering training.
And they were quick to add security awareness training to their Learning Management Systems.
There was just one problem. The cyber security training was developed by training specialists rather than security, psychology, behavioral change and data science specialists.
From a compliance perspective, the LMS security awareness training was perfect. It helped organizations be “compliant”. Unfortunately, most people subjected to the training platform hated it, and it failed to change security behaviors and cultures.
And that meant organizations’ human cyber risk didn’t reduce. Threats scaled. And the breaches continued.
The rise of risk-reducing “ABC” solutions
With phishing and cyber threats mounting, CISOs began to get the message out: “Compliance” was a minimum requirement. Organizations needed to focus on risk-reduction.
This was supposed to be about managing and reducing risk. They needed to advance improvements in security Awareness, Behavior and Culture (ABC) simultaneously.
Risk-reduction climbed boardroom agendas and leading CISOs began investing in risk-reducing Awareness, Behavior and Culture change security training.
Thanks to a focus on science and data (we’ll go ahead and plug CybSafe here) rather than simple phishing simulations, the new solutions demonstrably reduced human cyber risk.
Regulators, HR, boards, customers; the innovative, engaging and effective training modules and solutions meet stakeholder needs.
But still, compliance-only information security awareness training refuses to die.
Why does compliance-only cybersecurity awareness training live on?
To be clear, we are now certain organisations no longer have to rely on compliance-only security training from their Learning Management Systems.
Solutions like CybSafe’s ABC platform meet compliance requirements and reduce human cyber risk (and integrate into their existing LMS!).
Unfortunately, in some large organizations, ditching compliance-only security training is easier said than done. Efforts to banish it can trigger battles with internal stakeholders.
Today, some security professionals care enough about their users to do more than compliance-only security awareness training modules, but they don’t consider the additional battle of rationalization one worth fighting.
Often, dull and mandatory security awareness training remains part of favored Learning Management Systems.
Plus, just a shred of doubt in an innovative solution’s ability to meet compliance requirements probably justifies the use of two solutions in the mind of the security professionals.
And so the status quo continues. Some organizations use two (or more) security awareness training solutions.
Is the status quo set to continue?
Along with CybSafe, the NCSC now advocates people-centric security.
The movement probably means that, sooner or later, organisations are going to demand unifying security awareness training solutions that both reduce human cyber risk and keep organisations compliant.
In anticipation, some security vendors are already adding things like health and safety training material to their content libraries in an effort to become diverse Learning Management Systems.
In our opinion, that’s risky. After all, CISOs enlist security Awareness, Behaviour and Culture solutions because Learning Management Systems are too generic.
They provide access to training content. They don’t change cyber security awareness and behaviors.
A better alternative, we believe, lies in integrating engaging and innovative security solutions with legacy Learning Management Systems. That way, organizations get risk-reducing training that keeps them compliant and lives in existing Learning Management Systems.
That’s precisely why the CybSafe team have been working so hard on integrations lately. If it reduces security frictions and cyber risk, we’re all for it. After all, compliance without risk-reduction is a very questionable goal.
Especially when solutions like CybSafe help achieve both… without asking too much of busy employees.