In a recent blog I discussed a bit of rather alarming ESG Research data. When asked to define the most important processes related to confidential data security, 47 percent of North American and Western European security professionals point to, "communicating and training employees on confidential data security policies." Unfortunately, it turns out that many large organizations aren't very good confidential data security policy communicators or trainers--28 percent of security professionals rate their organization as "fair" or "poor" in this area.
So what's the problem? Some organizations minimize this task and provide only generic training. In some firms, users are not accountable for attending training classes or reading materials. Finally, some organizations provide security training that is about as exciting as watching paint dry. Let's face it, security professionals tend to be pretty techie and the concepts can be complex. I've seen too many instances where security trainers lose the audience on the first slide of their presentation.
When I do end user security training, I am a firm believer in making it as entertaining as I can. I try to mix current events, comedy, and every day examples into my act to keep people engaged. I'm not the only one to add a little show business to security training. After a recent blog, I got an e-mail from the creative director of a communications firm in the UK. He sent me this link to a video the company produced for Barclays Bank to encourage employees to view a security training page posted by the internal risk management team. Funny stuff (reminded me of the British version of "The Office"), and apparently traffic to the page increased substantially over the next year.
I have no idea how much this video cost Barclays or how they measured ROI on this effort. I do know, however, that protecting confidential data is a huge problem and employee training is an important part of any solution. If the results at Barclays are any indication, more organizations should marry serious security training efforts with a bit more shtick.