Do you have processes for gathering feedback on security awareness training? How can leaders create effective feedback loops to identify and make improvements when needed?

Security Frameworks (NIST, CIS, CSF)Awareness & TrainingSecurity Strategy & Roadmap+1 more
203 views4 Comments
Sort By:
Oldest
VP of Engineering2 months ago
To truly test your organizations security training effectiveness, you need to routinely test using simulated attacks. Some of the vendors already have phishing campaign management capabilities. We target the phish prone uses with more frequent training as well as management involvement for frequent offenders.
1
CISO in Banking2 months ago
Yes, we do have a process for gathering feedback on cyber security training. We work closely with our training and development department to conduct quarterly cyber security training modules for all of our employees. I personally provide a brief introduction to our new employee orientation training every month. One way we gather feedback is by offering employees the chance to provide feedback to the training department on the content after every module. This could be about any technical issues or questions they have on the content.

We also monitor weekly phishing reports by employees. We have a report phishing button, and when an employee reports a phishing email as suspicious, we analyze it. If we determine it is malicious, we take appropriate actions to not only remove it from other people's inbox who may not have seen it yet, but also to block whatever it is that the phishing email was trying to do. We keep track of these statistics and report them to our regulators. This helps us gauge how effective our training is.

Associate Vice President, Information Technology & CISO in Education2 months ago
We also use a similar process. We work with our learning and development team to provide mandatory cyber training for new employees. They can provide feedback and can also email us. We do receive unsolicited feedback on our phishing campaigns, which we take into consideration. For example, we conduct campaigns around tax time or Amazon Prime Day and we do receive feedback on these.
1 Reply
lock icon

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

  • Peer Discussions and Polls
  • One-Minute Insights
  • Connect with like-minded individuals
CISO/CPO & Adjunct Law Professor in Finance (non-banking)2 months ago

I agree with the points made by Steve and John. However, it's important to remember that with feedback for security awareness, it's difficult to know exactly what came in or how many came in. So, while we might say, for instance, that we received 10 reports, so our awareness security is working, it could be that we got 10 fewer emails. Therefore, it's important to be open to the fact that the reason your numbers went up or down may not necessarily be due to what you did. It could be due to an external factor.

Content you might like

What’s on your IAM roadmap for the next 18-24 months?

Identity & Access Management (IAM)Threat & Vulnerability ManagementSecurity Strategy & Roadmap
Director of IT in IT Services4 days ago
Implementation of Zero trust architecture, its modules across the organisation is a priority for us. So, we will be implementing zero trust strategies in IAM, inline with overall strategy.
1.4k views1 Comment

What is your organization’s current status for implementing endpoint security to protect O365 on mobile devices?

End-User Services & CollaborationSecurity & GRCDevice Management+14 more

Implementation complete23%

Implementation in progress54%

Planned within the next 12 months12%

Not planned7%

Not enabling O365 on mobile2%

View Results
2.4k views2 Upvotes

How can CISOs influence (or perhaps even contribute to) the business’s AI adoption strategy?

Security Strategy & RoadmapSecurityDisruptive & Emerging Technologies+3 more
CISO in Manufacturinga month ago
CISOs have a unique opportunity to proactively shape their organization's AI adoption strategy, Because AI adoption is either in the process of emerging or companies that have already gone down a path are readjusting their ...read more
1
Read More Comments
701 views6 Comments

Which of the following, if any, are part of Apple's iOS Account Deletion Requirement?

Security Strategy & RoadmapEnterprise ApplicationsData Protection & Encryption

Account deletion19%

Personal data (PII) deletion from a company's own data warehouses.55%

Personal data (PII) deletion from both a company's own data warehouses and connected SaaS tools.18%

Account deletion and PII deletion from both a company's own data warehouses and connected SaaS tools.7%

View Results
1.5k views2 Upvotes

I am increasingly having to present to our board and it’s not always the best experience. Do you have any advice on how best to approach a company board that is not technical at all?

People & Leadership
Chief Cloud Officer in Software6 years ago
My board experience has primarily been with board members that are not technical. The approach I take is to "translate" technical bits into business impact information. It seems many non-technical board members care most ...read more
64 3 Replies
Read More Comments
177.4k views169 Upvotes153 Comments