Q&A Series: Security Awareness Panel

September 18, 2020 • Video
Share this article

What is the best way to baseline security awareness levels in an organisation? What metrics can be used to track behavior improvements?

What processes do you have in place to manage employees that continually fail a phishing campaign, even after training and education material have been provided?

What is the best way to run ongoing awareness campaign targeted to certain groups/roles in the organisation. Eg. The exec team, the IT admins, the finance team. They obviously all need basic awareness training, but on top of that more security training targeted to their roles. So how do we do that and keep a good overall view on the results?

Do we need to redesign our security awareness programs, given the sudden increase in remote workers and if so how? Should we combine home security with work security?

How do we extend security awareness programs to include third party organisations that are critical to our infrastructure, and what role should procurement play?

What advice do you have in finding the right balance between enough training to provide the knowledge base, but not over promoting cyber security to cause people to disengage?

What about understanding the security culture at the exec and board level? What metrics / data points should you look for and measure? And does culture only thrive and survive if it is led from the top?

As phishing becomes more and more sophisticated, how do you train users to detect an attack. How do you make the simulations increasingly more effective to match?