Implementing security awareness training

For those using KnowBe4, Wombat, etc....Who is typically responsible for sending out the phishing campaigns and trainings? I'm assuming its the infosec team, but wasn't sure if HR typically gets involved

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Jamm1n

Hi MitM, I have been the past year to do exactly this. The security operations team has been strictly responsible for the phishing campaigns and training, security specific training. lol I don't know if our HR team actually does any training.... now that i think about it.

however they can! there is plenty of training within those consoles.

MitM

thanks for the reply!

paul78

Generally speaking what I do is that the infosec team selects the training modules and conducts the phishing tests. If the HR department or some other department has a training team and there is a corporate LMS, I would have the selected modules loaded into the LMS and the tracking and enforcement of training would be done by HR.

MitM

Thanks Paul! Trying to determine the best way to do it. Our HR department occasionally sends out required training modules through a 3rd party. I guess I can ask them how they'd like to handle it.

LonerVamp

Our security team handles the phishing testing. We also have input into the training that occurs, however, none of it is actually pushed by us. HR prefers to do this (asking a huge group of people to spend x/y portion of an hour with mandatory something comes with lots of red tape). Most everything also gets passed through a corp communications team who, of course, always has things to change (because otherwise, are you doing your job?).

Infosec_Sam

I'll go ahead and throw my 2 cents in here. My old job was on a small security team for a company of about 275 people, and my team was in charge of running our phishing program. Since our LMS existed outside of our phishing simulation system, HR handled much of the training while IT ran the phishing sims. Our process looked a little like this:

IT develops security awareness training & delivers to HR
HR provides security awareness training to company
IT runs phishing simulation
HR follows up with users who go phished for additional training

I think it's tough for IT to hold people accountable when we really don't have the authority to take corrective action. IMO, compliance training is much more in line with HR duties than it is with IT.

Edit: And I can't just not shout out Infosec IQ if we're talking about security awareness and phishing training. It's basically in the job description!

LisaPlaggemier

I have a different opinion than a lot of the folks on this thread.

If the BOOM happens, and it was at least in part due to a human (clicking on a phish, etc.), who is the leadership going to look at?

HR? No.
Corp comms? No.
The security team.

If we have the responsibility to secure our organizations, we also have to have some authority to do the job right, and that means the security folks run the training and awareness program.

That doesn't mean we don't work with other teams, build good working relationships across departments, leverage other groups to help achieve our goals, etc. What it means is, we know best how to run training, phishing, awareness, etc.

If I had waited for HR to fix poor employee engagement before I could work on security engagement, I'd still be waiting.
If my awareness campaigns had looked like all of our other corp comms, nobody would have paid attention to them.

For context, I ran a program at a technology company with 9,000 employees in 23 countries.

paul78

LisaPlaggemier said:

.... If we have the responsibility to secure our organizations, we also have to have some authority to do the job right, and that means the security folks run the training and awareness program. ...

I don't necessarily disagree - but learning delivery is usually not managed by the security team. The accountability for training doesn't change which is why I believe that the training should be selected by infosec. But that doesn't mean that there are no other parties which may have responsibility - the delivery responsibility IMO is usually more appropriate to be delivered by a training team especially if there's a corporate LMS which can track participation. Personally, I've always involved HR because in the companies that I deal with - security training is mandated and the consequence of failure/refusal to take the training is termination or formal reprimand.