You may have been thinking recently that your company needs to implement security awareness training. Maybe you’ve experienced a scare where a few employees have accidentally clicked on a phishing link in their Facebook inbox. You decide that behavior is risky for the person, but also for the organization.
How do you get started building security awareness training for your organization?
1. Recruit A Champion
A champion will sponsor the initiative at the highest levels within the company. This person has direct lines of communication with the CEO or other key stakeholders.
You may be the champion, or you may persuade someone with more clout to support the project.
2. Get Buy-In
Getting buy-in is the next logical step. Otherwise, why develop a project that isn’t supported?
The champion is largely responsible for getting leaders to agree to commit to this project.
However, this process can be difficult.
“Our research has shown that 70% of all organizational change efforts fail, and one reason for this is executives simply don’t get enough buy-in, from enough people, for their initiatives and ideas,” says Dr. John Kotter in an interview with HR Bartender.
Kotter offers some tips for success.
Be prepared. Practice bolstering your case with trusted colleagues.
Use more than data, logic, and reasoning. Keeping others’ attention may flounder with only numbers.
Involve emotions. They are “essential to changing behavior.”
3. Define Success
Now that your security awareness effort has been greenlit, it’s time to define success.
Who do you want to train?
When do you want to train them?
How long will the training take?
What type of content needs to be developed?
Do we have the right expertise, or do we need to consult a subject matter expert?
All of these questions and more are likely to pop up.