Implementing security awareness training
MitM Member Posts: 622 ■■■■□□□□□□
For those using KnowBe4, Wombat, etc....Who is typically responsible for sending out the phishing campaigns and trainings? I'm assuming its the infosec team, but wasn't sure if HR typically gets involved
Security Engineer/Analyst/Geek, Red & Blue Teams
OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
I think it's tough for IT to hold people accountable when we really don't have the authority to take corrective action. IMO, compliance training is much more in line with HR duties than it is with IT.
- IT develops security awareness training & delivers to HR
- HR provides security awareness training to company
- IT runs phishing simulation
- HR follows up with users who go phished for additional training
Edit: And I can't just not shout out Infosec IQ if we're talking about security awareness and phishing training. It's basically in the job description!
Who we are | What we do
If the BOOM happens, and it was at least in part due to a human (clicking on a phish, etc.), who is the leadership going to look at?
Corp comms? No.
The security team.
If we have the responsibility to secure our organizations, we also have to have some authority to do the job right, and that means the security folks run the training and awareness program.
That doesn't mean we don't work with other teams, build good working relationships across departments, leverage other groups to help achieve our goals, etc. What it means is, we know best how to run training, phishing, awareness, etc.
If I had waited for HR to fix poor employee engagement before I could work on security engagement, I'd still be waiting.
If my awareness campaigns had looked like all of our other corp comms, nobody would have paid attention to them.
For context, I ran a program at a technology company with 9,000 employees in 23 countries.