I have been tasked by my organisation to propose and implement a cyber-security awareness program within 6 months, with mandatory training elements. Org: government regulator, staff: 60 % are male aged 40+, Budget: limited.
Full disclosure: this is my first time at the rodeo with regards to such a project and I would appreciate any assistance that will enable me to deliver this requirement in an engaging, efficient and effective manner. If you have created your own program or leveraged the services of a 3rd Party, I'd love to hear from you!
I am 2 years into defining and now operating my first SAT program at small company (under 150 employees). IMO the key factors are:
How much time do you have to work on the program per year?
How much time can each employee spend on being trained each year?
How will you measure effectiveness?
How much money do you have to spend annually?
I had 5K USD, 2 weeks to work on program, wanted data to drive my decisions, and had about 12 hours per year per staff. I went with KnowBe4 because i immediately recognized that it met my requirements. I did not look at other offerings, so i may have missed something. I do not regret my choice.
Features of the implementation:
Regular Training about data privacy, regulations, phishing, and our information security policies.
Regular tests of staff's ability to spot and handle phishing attempts.
On boarding new employees.
Delivering software developer focused training
If i had 2 months per year to work on this program (which i dont), i would
1. Create a better incentive program for spotting test phish.
2. Be better at selecting content for individual employees and team needs.
3. Provide monthly sessions for folk to discuss security training and general issues.
Firstly, are you looking for a cyber security awareness program or an information security awareness program? Its a huge industry problem that we continue to use those term interchangeably and they are NOT the same thing. I am doing my best to bring awareness about this but its hard when even the big players are using the word "cyber" because its "sexy" and its what sells.
But with that said....
Here are a couple of FREE recommendations
My recommendation for a paid solution would be either
I would definitely start with the free resources and grow from there.
@brandenwagner , thanks for the recommendations; much appreciated!
Hands-up...I'm guilty of the crime of interchanging the two terms. I consider my wrists slapped 🙂
@mmarlow , thanks for this response! It certainly guides my steps with regards to this undertaking and wireframes it in a way that I can grasp and run with. I have attended a few KnowBe4 webinars and my previous manager recommended them also. Always good to get another "nod" 🙂 Thx!
We have a course on that from PDI (aka free for members of (ISC)²) - https://www.isc2.org/Development/Immersive-Courses/Building-Strong-Culture-of-Security
Part of the tack I am taking with our Security Awareness is similar to CPE's. While we have a base hour in the policy that will be provided by the Security Team annually, we have put 8 hours as a requirement per employee. The additional 7 hours can be worked out between the employee and their supervisor. Maybe the dev team needs someone with more threat modeling information, then one could go that way. Maybe IT needs to do some in depth analysis of the security of a new technology or product. Whatever the employee and supervisor agree on that is security related. That way, it is more of a professional development process, and can adapt to different levels of experience and knowledge in the work force.