Mandatory Security Training: the crux is the circular logic of the “mandatory” part. It has to be mandatory so that we all do it, but because it had to be made mandatory, we all know that we’re going to hate it. The fact that it’s security training doesn’t really impact the whole “mandatory” thing. If I get into pottery and start watching YouTube videos on how to wedge clay, I’m happy to watch those videos because I want to know more about something that makes me excited. Force me into a pottery class, however, and I’m playing the video through on double speed with the sound muted so that you have a record that I completed the video.

And that’s what most people do with anything mandatory. Game the system, find a weak spot, then exploit the weak spot to reduce the overall drudgery and/or misery of the experience. I spent 16 years in a classroom, so I know all about avoiding the mandatory stuff, both as a purveyor of the mandatory and as a victim of the mandatory.

I have the worst news for the biggest companies: the majority of your training is no more than ticking a box, I’m afraid. Smaller companies can have the best success, provided they have the right person doing the training.

Why do smaller companies have the best shot at success? It’s due to both their size and constrained budget. If their IT person is a patient soul, there will be lots of personal interaction on all kinds of topics, security included. One of my best experiences with training came from something that happened while I was at lunch. I locked my PC and walked out to get something to eat. While I was out, a co-worker reached out to me with an issue regarding her sound card. My out of office status came up on her screen, and that solved her problem. My status? It was a line from The IT Crowd:

Her next two responses were, “I’ll try that” and “Thanks that worked”.

When I got back from lunch, I realized that my OOO had taken care of an incident ticket. Really, it was my co-worker who had trained herself that took care of the ticket. I went back to talk with her about the experience and why power cycling actually did resolve most issues, and the rest of her group listened in. By the end of the day, the rest of the company was talking about it – and when they called in, they always prefaced it with how they had turned it off and on again and the problem still happened.

My call volume dropped off by a massive amount and the staff were ready for more insights on how to use their tech better. I would say something like, “never click on an attachment you didn’t ask for” and whoever heard it would help spread the message. When I showed up to work at PCs that needed attention, I did my best to include at least one security topic in the conversations that happened as we traversed the vast expanses of time required to update vendor software packages.

We were all working for the same company and we all had a vested interest in the survival of the company, so we were interested in knowing how to protect and better utilize its resources. Nobody made security training mandatory. We just all happened to be interested in it at the same time.

When I left that small company and started working at Global Megacorporation, I could still have moments like that with my immediate co-workers and people I worked with directly on issues, but there were too many departments and too many physical sites for me to be able to reach everyone. So, the question is, can we get personalized training for everybody at a big company? Does it scale out well?

The answer, sadly, is no. Even if local education was part of every IT job description, there simply aren’t staff at every location. Added to that is how most of those big corporations also have outsourced IT – and these are people who, at the end of the day, don’t work for the company that’s using their services. They may be friendly and supportive and all that, but they simply won’t have the same attachment to their customers’ firms that the customers themselves could possibly have.

On top of that, it’s a huge, impersonal company, right? There are going to be a lot of people that work there who simply just. don’t. care. They plan to show up, do as little work as possible for as much pay as possible, and then go home. It’s not the entire company, by any means, but there are enough of them to where training has to be made mandatory if it’s going to get done at all.

This crowd of just-don’t-cares will then do everything they can to avoid or ignore the training. If there are no click blocks, they will finish that 37-slide deck in 37 seconds or less. If there are click blocks, then they’ll click, watch a cat video on YouTube, and then turn back to click again. Put a test at the end, they’ll circulate a list of answers. There are psychometric tricks and tips to utilize to minimize those numbers, but we won’t eliminate them.

And then, one fine day, one of these guys trying to do as little work as possible clicks on the wrong link, and the company gets a malware outbreak to go along with that cat video. Every security professional knows it only takes one misstep, and we simply can’t stop all the just-don’t-cares that are bound and determined to make those missteps all along the way.

Now I need to look at the mid-sized companies and this is one case where they’re either more like a small or large company, depending on size. They are transitioning from that small, informal group where everybody mostly cares into a larger, less caring mass. What can be done?

My answer may not be budget-friendly up front, but it saves costs down the road. Keep those trainings personal. Use classrooms, if you have to. Make it where the training is a conversation, where peers that pay attention will follow up with the just-don’t-cares that snoozed through it all and make them to where they care, or at least hear the lesson.

When people do things as a group, they will praise and encourage those that uphold their common values and pressure those that don’t so that they conform. That’s human nature, and it’s what has a better chance of working than an unhuman, automated, mandatory watch-and-click training. The biggest reason is that it involves repetition over time through conversations, and that simply doesn’t happen with an experience that is unshared, through a screen. If the training must be uniform and automated, then have it delivered in a group format. Have local teams watch the training together, discuss it, and then go on to the inevitable test that exists at the end. But it’s that discussion afterward that is going to make that training part of their work lives and not just a tick in a box on an audit.