How To Design A Role Based IT Security Training Program

How To Design A Role Based IT Security Training Program

Your people can be your greatest threat or your greatest IT security weakness. Reinforcing the importance of IT security regularly is helpful. However, you also need to equip your employees with the skills and knowledge to make smart decisions. Without robust IT security training, your staff is more likely to make security mistakes.

Now, here’s the awkward reality. Corporate training programs have a mixed reputation. Many of these courses tend to be boring. Some people complain that corporate training offerings are not relevant to their job situations. To address the comment about relevance, there’s a new approach: role-based IT security training.

Why Do You Need A Role-Based IT Security Training Program

Depending on your situation, you may not need this type of training. Role-based IT security training is a relatively advanced practice. It is highly recommended for organizations that face high-security demands such as banking, health care and government. For other industries, you may want to consider implementing it because it will help you persuade customers that you have robust security.

Fundamentally, role-based IT security helps to solve the problem of relevance. It is challenging to design IT security training that speaks to the needs of all employees. For example, consider the security needs of a customer service representative – they handle customer data every day. On the other hand, consider the perspective of a software engineer. They may not touch customer data very often, but the software they develop has significant security implications. Both of these types of employees have different security needs. That’s why you need to offer role-based IT security training.

Develop Your Role-Based IT Security Training Program

Use these steps to develop your role-based cybersecurity training curriculum. If you already have a program in place, ask yourself when you last reviewed and updated the program. If it has been more than a year, you’re due for a refresh of your training program.

1) Assess Your Existing IT Security Training

Unless your company is brand new, you probably have some security training program. It may be an introductory password management training program. Alternatively, it might be a full-day seminar covering cyber, physical security and more! Before you make changes, review what you already have in place with a focus on these questions:

  • When do employees tune out during training? If most employees visibly become bored or disengaged at specific points, that’s a sign your training may not be relevant.
  • What are the patterns you see in employee questions? Questions may signal unclear information.
  • What patterns do you see in training requests? If employees regularly ask for supplemental training on security matters, those requests tell you that you have a gap.

2) Identify Employee Roles With A High-Security Risk

In terms of IT security risk, employees are not equal. For example, IT managers and software developers must handle significant technology decisions regularly, which impact security. In contrast, a sales representative may have different IT security needs. So where do you get started? We suggest focusing on the job roles that have the highest IT security risk – usually a combination of technology roles and managers.

3) Define Role-Specific IT Security Risks

Your next step is to identify the job role specific IT security risks. To illustrate the concept, here are some examples of different job roles.

Managers must approve system access requests from their employees. Therefore, they need training on how to quickly assess and decide on access requests.

Software developers often interact with systems that contain highly sensitive customer data. If databases, apps and systems are not properly configured, your company is much more likely to be hacked.

For your first IT security training program, keep your focus on two job roles. After your initial program is launched, you can return to this process and develop additional role-based IT security training.

4) Outline Process And Technology Training Concepts

For role-based IT security training to be effective, you need to cover both process and technology. For example, you may cover password management. Use these suggestions to cover the topic from both perspectives.

Password Process 

  • Do Not: Write down company passwords on scraps of paper.
  • Do: Get a password reset instead of guessing your password after vacation.

Password Technology

  • Use The Fast Way To Obtain Password Resets: Use Apollo
  • Supplement Passwords With Multi-Factor Authentication. Guide employees on situations where MFA is helpful (e.g. working away from the office)

5) Deliver The Initial Role-Based IT Training Security Program

Now you are ready to offer your first role-based IT security training session. Reach out to a few managers in your company to offer the program. For the best results, seek out an executive sponsor related to the job role. For instance, if you are offering a cybersecurity training program for software developers, seek support from the chief technology officer (CTO).

6) Gather Feedback To Improve The Program

After you deliver your first few training sessions, get in touch with your training participants to seek their feedback. Specifically, ask whether the training provided was at the right level of sophistication for their needs. To avoid a people-pleasing response, it is best to collect this type of feedback through an anonymous survey.

What’s Next In Your IT Security Program?

Improving training will go a long way toward improving your security defenses. However, there is much more you can do. We recommend exploring the following articles for tips on your next IT security project. Remember, there is no such thing as “done” in cybersecurity. The price of a successful defense is constant vigilance and improvement.

Improving IT Security Audit Quality With Technology. IT security audits don’t have to be painful when you use this technology.

How To Prevent IT Security Department Burnout. When your security specialists start to feel burned out, your company will suffer. Discover how to prevent this common problem. How to Use Password Management Reports to Control Risk. When you equip managers with the right reports, they can make smart decisions to reduce risk.

Written by Nelson Cicchitto