Last October, during National Cyber Security Awareness Month, Frederick Scholl penned the headline “Time to Kill Security Awareness Training” in CSO magazine. The headline came as a shock to many readers. However, those who were initially taken aback by the provocative headline were surprised to find that Scholl was not calling for the death of security training, or even cutting back funding for it. He was suggesting that security awareness training be made stronger, more effective, and more comprehensive. The first step, Scholl says, is replacing awareness with education. “The goal of educating users about security is to facilitate an organizational change so that security is part of the company culture,” he writes. “Obviously you need a security strategy. You also need to assign roles and responsibilities in the security structure. This needs to include the whole organization, not just the office of the CISO. Awareness training alone will not be enough to facilitate an organizational change.” Effective security awareness training will change an organization's security culture. People will start asking questions, understanding and reporting risks, and realize that cybersecurity isn’t just a workplace issue, but a personal issue as well.
Cybersecurity Culture Shifts