"Flip it on its head" - Egress' Tony Pepper on reworking security training
"We sit through, with gritted teeth, content that at best is boring, and at worst we don't even see it anyway."
Security awareness training is broken, and it needs a change to bring it back to its original intent.
That was the message from Tony Pepper, CEO of Egress Software, speaking to Computing editor Stuart Sumner in a recent interview.
"No-one would argue that we need to educate employees," said Pepper, "but the key question is: is [the training] impactful? Is it making a difference?"
He argues that security awareness training (SAT) has become "a box-checking exercise" - more about "have you sat it?" than "is it making a difference?"
That's especially relevant when people are forced to complete their training for regulatory or compliance requirements.
"We sit through, with gritted teeth, content that at best is boring, and at worst we don't even see it anyway. How many people, if you were truly honest, sit through those videos and fast-forward it to the questionnaire?
This is a common issue with SAT: people only care about passing the questionnaire, because going any further than a simple pass mark has no effect. Thus, people only care about the "minimum baseline" to demonstrate they've actually sat the course.
The reality of that situation is that no-one really remembers anything from the training, and many don't change their behaviour.
Pepper argues that the training industry needs to reach a place where people are genuinely engaged, understand risks and are better informed and educated after completing it - to the point where their habits change. Today's broad-based training isn't effective at dealing with specific threats that can have a significant impact on the business, like phishing. You have to do something that "flips [training] on its head."
A good place to start is by "joining the dots" between threat detection and training, which have been very distinct and separate fields in the past. For example, Pepper suggests training people immediately after they encounter a security mistake - once the threat has been handled. Doing so draws a clear line between actions and threats, and means the security team can add important context around what could have happened.
Pepper had many more tips, as well as an interesting discussion around making security part of KPIs. Watch the video above to hear the rest.