The conversation around security awareness training and the role of humans in cybersecurity often focuses on failures and the idea that awareness training is worthless. However, this perspective overlooks the multiple layers of technology that must be breached before a phishing email ever reaches a human. Even after a click occurs, there are additional layers of technology that must fail for a threat to take root. These failures are not enough reason to give up on humans as a critical layer in the security stack.
To change this conversation, security leaders should recognize the importance of the human layer and invest in its development. Rather than viewing awareness training as a standalone solution, it should be seen as part of a larger security culture. While awareness is essential, it is not enough. True security culture involves not just being aware of threats, but caring about them and taking responsibility for security within the organization.
Creating a strong security culture requires a shift from traditional awareness training to a more engaging and interactive approach. One example is gamifying security training and simulation programs, turning them into healthy competition. Employees can compete to catch phishing attempts, fostering a sense of pride and community. Another approach involves taking phish reporting to the next level, where employees who report a suspected phish are recognized and rewarded for their contribution to protecting the organization.
Building a security culture is about influencing behavior patterns and belief systems across the organization. It is about nurturing a sense of shared responsibility and instilling a mindset of resilience against cyber threats. By investing in the human layer, organizations add a critical component to their security stack.
However, building a human defense layer is not a one-time effort. Just like any other layer of security, it must evolve and adapt to the ever-changing threat landscape. There will be failures and vulnerabilities, but these should serve as learning opportunities rather than a reason to give up on the human element.
The solution is to evolve the complete security stack, including the human element. When a problem arises with a technological layer, organizations invest time and resources into understanding what went wrong and preventing it from happening again. The same approach should be applied to the human layer. Rather than getting mad or chastising employees for clicking on bad links, organizations should learn from these failures and reinforce security practices.
This can be done by rewarding good behavior and avoiding punishing employees for mistakes. It also involves providing a wide range of training content to keep employees engaged and promoting healthy competition. Making security training fun and meaningful will help employees truly care about security and become active participants in protecting the organization.
A strong security culture consists of a human layer alongside the technological layers. It recognizes that, just like technology, humans are not perfect and can be flawed. However, with the right investment, training, and reinforcement of security practices, the human layer can become a crucial part of the organization’s overall security strategy.