Security awareness training for CEOs
gespenstern
Member Posts: 1,243 ■■■■■■■□□□
Anyone seen anything on that?
Regular security awareness training is a hard sell for CEOs of large and rich companies. They tend not to think of themselves as regular people, and, to their point, their time is pretty expensive, so it's better not wasted on half-baked products.
Anyone knows of a very good, short, to the point, of extremely high quality, CEO-fashioned, expensive security training?
Just basic things -- check if the web-site has a cert, if it's trusted, don't accept suggestion to download and install "flash updates", how to avoid sketchy web-sites, how to recognize phishing, spear-phishing, whaling, CEO-phishing type of stuff.
Regular security awareness training is a hard sell for CEOs of large and rich companies. They tend not to think of themselves as regular people, and, to their point, their time is pretty expensive, so it's better not wasted on half-baked products.
Anyone knows of a very good, short, to the point, of extremely high quality, CEO-fashioned, expensive security training?
Just basic things -- check if the web-site has a cert, if it's trusted, don't accept suggestion to download and install "flash updates", how to avoid sketchy web-sites, how to recognize phishing, spear-phishing, whaling, CEO-phishing type of stuff.
Comments
I'd recommend this. https://www.knowbe4.com/pricing-kevin-mitnick-security-awareness-training
The solution is calldd KnowBe4.
I just recently had a demo for it and received a 2 week trial. The solution has exactly the training you need, you can cater it to your audience for regular users to IT or developers or high management. Seems to be relatively cheap also. It's a SaaS solution and very well designed. You also get to conduct phishing campaigns from the platform and create your own social engineering campaign or use the templates they have. Cool thing is that they introduce content very often and relative to the news out there. Has tons of metrics too in order to judge how well users are identifying malicious emails etc. Give it a try. We will migrating to this soon.
There are just a few modules on what would be interesting for top management and they all full of fluff and irrelevant. The one on CEO fraud starts with a long introduction and a hypothetical situation in which a small real estate business owner who hires an accountant gets a call from them and they say that supposedly the owner asked them to transfer money in both SMS and email. For CEOs of multi-million or billion companies it's hard to feel in such an owner shoes IMO and it's too lengthy anyways. Majority of knowbe4 modules could have "for dummies" labels on them, I don't think top management of larger companies can appreciate that.
That's why I'm looking for something specifically designed for this type of audience.
@TheFORCE did you ever proceed with the purchase? If so, how do you like it?
I'm looking for security awareness training for my entire company. KnowBe4 always looked good to me
BUT, from my experience running a training and awareness program, I recommend you do exec training in person. Keep it short, targeted, and limit it to a small group. Why? So they can ask questions without feeling stupid in front of a large group of people. You'd be amazed at the basic stuff they might not understand but are afraid to ask. Some companies also offer dossiers to execs, presented to execs at their homes with their families present. Imagine doing a physical and cyber assessment of an exec and his family (think, what their kids are posting on social media), and presenting it to them in a very relaxed, non-judgmental atmosphere where they can ask questions. You obviously can't make that mandatory, but they may take you up on it if offered, especially if they have teenage kids. Stick to the facts, show them how the info could be used against them without being alarmist, and give concise, clear recommendations.
Who we are | What we do
I also agree with @EANx, provide relevant metrics and statistics. You may also be able to put together interesting statistics on your own by doing things like scanning your organization's email addresses with the haveibeenpwned.com API. You can write a simple script or app to automate it. Things like that, depending on your company's culture, may garner attention more efficiently than relying on general reason.
For example, you send out a set of CBTs annually that check all your boxes for compliance and give you a nice neat report for audit when they knock at your door. You drive that program for 100% completion. Keep it short and targeted and find the best produced CBTs you can - remember, this is probably the most visible thing your security org will do - the whole company will see it. Give people plenty of notice that it's coming, keep the communications upbeat, and explain "the why". Then, run the rest of your program to get people to engage. Do communications (articles in company newsletter, lunch & learns, videos, etc.) that are informative, entertaining, funny, engaging...whatever works in your company culture. The idea here is to make info available that is so helpful and engaging that people WANT to read or participate, and they actually change their behavior as a result.
My experience is that as soon as you make something really funny or engaging mandatory, it's not funny or engaging any more.