We hear a lot of types of “literacy” discussed, whether it’s the traditional definition of “reading skills” or financial, computer, digital, information or technology literacy. In the 21st century, there’s a new, incredibly important type of literacy: cybersecurity or information security literacy.
Cybersecurity literacy doesn’t describe the technical skills required to actually prevent or repair hacks. Rather, it’s a broad understanding of who the attackers are and what they’re looking for – an understanding of cyber-risk and the ability to see patterns related to it. As Ric Messier, head of Champlain College’s cybersecurity program, says, it’s “important that everyone understands at a very basic level what they’re doing that may put them at risk.”
Messier believes in what he calls an educational model of cybersecurity training. This model works to increase information security literacy in the workplace rather than focusing on short, targeted courses about one type of attack – or the required online courses that he describes as “click-fests,” in which learners just click through slides or modules because they have to. Developing information security literacy creates a deeper understanding than “just bullet points,” and he recommends using an educational model in addition to targeted courses on, for example, phishing attacks.
This type of model also goes beyond basic awareness by focusing on developing an actual understanding of cybersecurity. As information security adviser Frederick Scholl writes in an editorial for CSO Online, “we need to replace awareness with education” now that “technology is an integral part of everyone’s work and personal lives.” To make this move from awareness to education, he writes, information security needs to be part of company culture, and employees must understand security and implement it into their jobs.
To avoid click-fests and make cybersecurity training more engaging, Messier recommends making sure employees understand how it impacts them directly by answering the question, “How are you at risk?” Hackers are just as interested in personal information as they are in corporate information, and if learners understand that, they engage with the training. There’s a “really nice dovetail” in that when employees learn how to protect themselves, they naturally end up protecting the organization as well.
There’s a lot of talk about the cybersecurity talent shortage, and Messier observes that by training existing employees – whether in IT or not – on cybersecurity topics, companies can help close the skills gap without having to hire new employees. If more employees are aware of what they can do to help prevent attacks, fewer specialists are needed.
For organizations wanting to develop information security literacy in their workforce, Messier recommends partnering with a higher education institute or corporate training provider with expertise in cybersecurity. For example, AT&T partnered with Champlain College to train their employees in cybersecurity skills. The employees took a few courses on the specific skills that AT&T wanted them to have in order to protect their business and their customers.
AT&T – and Champlain – got a surprise bonus when the courses sparked an interest in some employees, who took additional courses to get certified or even enroll in a degree program. According to Messier, one salesperson’s cybersecurity certification “had an enormous impact on him,” as he became more effective at selling to and educating his customers.
Companies can also work with a vendor to develop in-house courses, Messier notes. Regardless of how the sourcing relationship works, there are a few important considerations to make. Like any partnership with a training provider, it’s important to make sure that the two organizations’ goals, objectives and values are aligned. However, with cybersecurity training, it’s especially vital that both companies understand that the initiative is not being developed just for short-term impact. To truly develop an information security-literate workforce, organizations must be in it for the long haul, ensuring employee development throughout their tenure.
Attacks will continue to evolve. When hackers realize that a strategy no longer works due to education, they will find another one. That’s why lifelong cybersecurity learning is so important. When employees have developed information security literacy, they will begin to spot patterns, because they understand the underlying concepts. Then they’ll be better prepared to protect themselves – and the organizations they work for.
Visit TrainingIndustry.com throughout the month of October for insight and tips on how you, as a training professional, can help protect your organization.