Why do some organisations often use two or more security awareness training solutions at once?
That’s a question that grabbed our attention when it popped up on social recently.
The comment highlighted the following security oddity…
Increasing numbers of organisations today are investing in some form of “innovative” security training designed to reduce human cyber risk by improving security behaviours. But the same organisations often invest in a second form of security training, too.
The second form is quite different from the first. It’s far from innovative or engaging. Instead, it’s dated. Dry. Dull, even.
Plus, it’s unconcerned with reducing human cyber risk. Instead, it’s designed predominantly to help companies achieve compliance.
What makes that so odd?
Well, if the innovative, risk-reducing solutions actually reduce human cyber risk, shouldn’t they help with compliance by definition?
And, if so, why do organisations today still bother running both forms of training?
The obvious (but wrong) answer
At first, the above seems easy to answer:
Regulators must have it wrong. Presumably, the regulators are asking organisations to do the wrong things.
But that’s simply not the case.
And that’s exactly what innovative, risk-reducing solutions do.
So why do compliance-only solutions remain so prominent?
The answer lies in security awareness training history.
Even as recently as 2017, solutions that demonstrably changed behaviour and truly reduced human cyber risk were rare.
Cyber crime wasn’t exactly new. But the market was behind the times.
Breaches of Equifax magnitude were making headlines. Organisations wanted to arm their people with security training. Regulators were encouraging the same thing. So organisations relied on their existing Learning Management System (LMS) vendors for support.
The LMS vendors were comfortable with designing compliance-focused training solutions. They already offered things like Health and Safety and Anti-money Laundering training. And they were quick to add security awareness training to their Learning Management Systems.
There was just one problem.
The cyber security training was developed by training specialists rather than security, psychology, behavioural change and data science specialists.
From a compliance perspective, the LMS training was perfect. It helped organisations be “compliant”.
Unfortunately, most people subjected to the training hated it, and it failed to change security behaviours and cultures. And that meant organisations’ human cyber risk didn’t reduce.
Threats scaled. And the breaches continued.
The rise of risk-reducing “ABC” solutions
With cyber threats mounting, CISOs began to get the message out:
“Compliance” was a minimum requirement. Organisations needed to focus on risk-reduction. This was supposed to be about managing and reducing risk. They needed to advance improvements in security Awareness, Behaviour and Culture (ABC) simultaneously.
Risk-reduction climbed boardroom agendas and leading CISOs began investing in risk-reducing Awareness, Behaviour and Culture change solutions. Thanks to a focus on science and data (we’ll go ahead and plug CybSafe here), the new solutions demonstrably reduced human cyber risk.
Regulators, HR, boards, customers; the innovative, engaging and effective solutions meet stakeholder needs.
But still, compliance-only training refuses to die.
Why does compliance-only training live on?
To be clear, we are now certain organisations no longer have to rely on compliance-only security training from their Learning Management Systems. Solutions like CybSafe’s ABC platform meet compliance requirements and reduce human cyber risk (and integrate into their existing LMS!).
Unfortunately, in some large organisations, ditching compliance-only security training is easier said than done. Efforts to banish it can trigger battles with internal stakeholders. Today, some security professionals care enough about their users to do more than compliance-only security training, but they don’t consider the additional battle of rationalisation one worth fighting. Often, dull and mandatory security awareness training remains part of favoured Learning Management Systems.
Plus, just a shred of doubt in an innovative solution’s ability to meet compliance requirements probably justifies the use of two solutions in the mind of the security professionals.
And so the status quo continues. Some organisations use two (or more) security awareness training solutions.
Is the status quo set to continue?
Along with CybSafe, the NCSC now advocates people-centric security. The movement probably means that, sooner or later, organisations are going to demand unifying security awareness training solutions that both reduce human cyber risk and keep organisations compliant.
In anticipation, some security vendors are already adding things like health and safety training to their content libraries in an effort to become diverse Learning Management Systems. In our opinion, that’s risky. After all, CISOs enlist security Awareness, Behaviour and Culture solutions because Learning Management Systems are too generic. They provide access to training content. They don’t change security behaviours.
A better alternative, we believe, lies in integrating engaging and innovative security solutions with legacy Learning Management Systems. That way, organisations get risk-reducing training that keeps them compliant and lives in existing Learning Management Systems.
That’s precisely why the CybSafe team have been working so hard on integrations lately. If it reduces security frictions and cyber risk, we’re all for it.
After all, compliance without risk-reduction is a very questionable goal.
Especially when solutions like CybSafe help achieve both… without asking too much of busy employees.