Organizations of All Sizes Need IT Security & Privacy Training

Many organizations create broadly scoped information security training for all their personnel to take, but too few create targeted training for groups that need to have specialized knowledge for certain topics. Different departments within an organization handle different types of information, and have different types of contact with business partners, customers and other employees. So doesn’t it make sense that the payroll folks would need training specific for their job responsibilities, and sales folks would need training specific to their responsibilities that are are very different from the payroll folks, and so on? Also, legal requirements those in various industries need specialized training. For example, those in the healthcare space in the U.S. need HIPAA training.
According to the U.S. Census Bureau, small businesses employ more than half of all Americans. Very few small and medium sized businesses (SMBs) have specialized IT staff; most of the owners or personnel take on the day-to-day IT tasks themselves, operating on a wing and a prayer that nothing will go wrong. These huge numbers of folks within SMBs are also taking care of the IT security and privacy activities…hopefully.

Many SMBs mistakenly believe that they need to take minimal security actions to protect their business and customers. However, as the growing numbers of privacy breaches, a significant number of which occur within SMBs, demonstrate, this belief is both inaccurate and dangerous. Cyber attacks against SMBs are growing rapidly, having severe impacts on business operations and the SMBs’ customers and employees. SMBs must also participate in specialized IT information security and privacy training.
The second article in my July issue of “IT Compliance in Realtime Journal” is “Providing IT with Information Security and Privacy Education” and discusses the types of specialized IT security training that personnel within organizations, of all sizes, need to have.
Here are the first couple of sections from that article…

Information security and privacy training content and awareness communications and events must be designed based upon the learning objectives of the associated target groups. The training delivery method should be based upon the best way to achieve your objectives. In choosing a delivery method, consider the learning objectives, the number of learners, and your organization’s ability to efficiently deliver the material. Curriculum, content, and development must be designed and created for the topics you have identified to this point, tailored to your target audiences and the chosen training methods. Training delivery for IT personnel typically is most effective through classroom training, group case studies, and computer-based and online training modules.
The training content for IT professionals should be based upon the procedures, technologies, and practices the IT personnel must perform to be in compliance with your information security and privacy policies and standards as well as with their own area’s procedures. The goal is to instill a culture of information security and privacy thinking into their daily work habits so that supported actions occur naturally and automatically throughout the entire spectrum of activities IT personnel take while performing their job responsibilities. In addition to providing periodic targeted training content, you need to offer ongoing awareness communications and activities to effectively reinforce within your IT personnel the routine security habits they habitually follow for any of their job responsibilities.
You know how buckling your seatbelt becomes almost an unthinking, automatic action after you have done it day after day? That is how you want your personnel to handle safeguarding information resources during the course of their work; in an almost automatically secure manner.
Don’t Drown Your Personnel in Information!
There is a very wide range of information security and privacy topics for which IT personnel should receive training and ongoing awareness communications. It is ridiculous for otherwise smart business leaders in general, and IT practitioners in particular, to claim that training and awareness efforts are useless based upon giving one training session (typically bad training) once a year and then still seeing information security and privacy incidents occur!
There are many reasons most training and awareness efforts are not effective. One big reason is that the organization tries to stuff 15, 30, or even 60 information security and privacy issues into the training session. Too much information inundation makes people’s brains coat over with Teflon, and all information slides off and into their cold cups of coffee into which they are close to doing a face dive.
Effective training addresses just a few key issues at a time. I’ve found covering three issues to be most effective with most groups. Based upon the type of delivery, the training should also be comparatively brief, 15 to 30 minutes for most topics. For personnel groups within business settings, I have found that training times longer than 30 minutes usually results in having none of the content covered past the 30-minute mark being effectively taken in and understood by the folks in the training group.

Do you provide targeted IT security & privacy training within your organization?
If you are in an SMB and are responsible for information security in addition to many other types of business activities, have you had IT Security and Privacy Training to help ensure you are protecting your business most effectively?
Thoughts? Comments? Let me know!

Tags: , , , , , , , ,

Leave a Reply