Don’t make security awareness training a punishment


Every technology leader wants a security-aware, cyber-savvy enterprise culture. But what does that mean and how can we get there? There is an ongoing debate regarding security awareness training techniques, engagement and overall effectiveness. Let’s explore…

Creating an enterprise-wide “culture of security” is almost always listed as a top priority for experienced security and technology leaders in the public and private sectors. Back in early 2007, when I was Michigan’s chief information security officer (CISO), I remember being interviewed by Bill Jackson at Government Computer News (GCN) about a long list of security topics. Here is how that interview ends:

GCN: What’s the biggest challenge left?

LOHRMANN: Continuing to work on the culture, to help people understand how important security is at an individual level. … Helping people understand the impact of their actions, I think that’s the biggest challenge.

Fast-forward more than a decade and I believe transforming the security culture remains our greatest challenge as we head toward 2020. But, how can we get to this elusive “culture of security” while balancing the cost, benefits and many other business priorities we face? As we think about people, processes and technology, what can we do to enable people and reduce risk over time?

Can “Just in Time” Training Help?

One answer that I am seeing and hearing more about is “just in time” training (or just-in-time learning). According to, there are many practical examples and benefits of just-in-time learning:

“It is walking down to the desk of a more experienced co-worker to ask for a solution when you get stuck on a project. It is looking up Wikipedia when you come across a novel concept during your browsing sessions. It is calling up mom when you want advice on a recipe…Click HERE to read full article.


Leave A Reply

9 + 6 =