Value of Awareness Training QuestionedCIOs Don't Show Much Enthusiasm for Employee Education
Ask federal chief information officers about the effectiveness of employee awareness training to reduce cyber-vulnerabilities, and you'll get a big shrug of the shoulders, at least from half of them.
That's a takeaway from a survey of U.S. federal CIOs released this month by TechAmerica, the trade group representing IT manufacturers. Half of the CIOs surveyed say education and training is neither effective nor ineffective; about 40 percent contend it's effective or very effective; only 8 percent rate it as ineffective. And none say it is very ineffective.
The numbers don't tell much except that reliance on training needs to be beefed up if it's to be an effective tool to battle the growing cyberthreat facing organizations in and out of government.
Comments sprinkled through the report furnish a bit of insight on how some CIOs think about their approaches to cybersecurity. Of particular note are the anonymous responses from CIOs on how they manage IT security risk, especially the role of training and educating employees about cybersecurity.
One CIO pooh-poohs cybersecurity training: "Employees just click through the training and are not really paying attention. It is just a check-the-box exercise." That CIO, though, suggests the way to engage employees in the training is to improve graphics and animation in the training. Really?
One government agency phished its own employees, and nearly one in five receiving a tainted e-mail took the bait. "Those who fell for it were directed to a page and told they had been phished," the CIO says. "Then we provided some on-the-spot training and education. The reaction was actually very positive."
Another CIO locked out employees who failed to complete their training. "The system lockout is effective in terms of getting the users' attention, but if a person with a high case load, administrative rights, sensitive information processing rights, highly time-sensitive duties etc. gets locked out, it may cause problems and interruptions to daily duties. Also, executives who get locked out are not especially pleased when this happens."
That's one thing you don't want your education and training program to do: exacerbate those who provide the funding for cybersecurity training initiatives.