Global UK US

What makes an effective security awareness program?

Education and training: It’s accepted that this should be widespread and ongoing yet breaches occur every day. Where are companies going wrong, and how can they change that? Digital Defense, Inc.’s Gordon Mackay has some simple advice on how to make a security awareness program more effective.


Companies still treat security training with a ‘compliance lens’ and don’t acknowledge that this has limited impact. Organizations should employ a security awareness program that fosters a culture in which employees feel they are active participants in defending their organization (and themselves), and are making a real difference.

Companies still treat security training with a ‘compliance lens’ and don’t acknowledge that this has limited impact.

An effective security awareness programs includes:

  • Ensuring buy-in from top level executives, where the executive team sets the tone in a positive and encouraging fashion.
  • Ongoing (e.g. once a month), short training sessions, which include a degree of fun to better engage trainees. It’s difficult to cover every possible security topic but by employing short, fun training at regular intervals, trainees are more likely to learn on their own outside of training.
  • A means of measuring retention of the training, which is not punitive but encouraging and positive.
  • A mechanism to effectively integrate the training into daily operations. For example, the awareness campaign may include a mechanism to share employee noted security incidents with the organization’s cyber security defense teams. Also consider positive recognition to encourage participation. In a sense, this is like viewing the employee as a human intrusion prevention system.

Gordon Mackay is EVP and CTO at Digital Defense, Inc.,