Implementing security awareness training

MitMMitM Member Posts: 622 ■■■■□□□□□□
For those using KnowBe4, Wombat, etc....Who is typically responsible for sending out the phishing campaigns and trainings? I'm assuming its the infosec team, but wasn't sure if HR typically gets involved


  • Jamm1nJamm1n Member Posts: 106 ■■■□□□□□□□
    Hi MitM, I have been the past year to do exactly this. The security operations team has been strictly responsible for the phishing campaigns and training, security specific training. lol I don't know if our HR team actually does any training.... now that i think about it.

    however they can! there is plenty of training within those consoles.
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    thanks for the reply!
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    Generally speaking what I do is that the infosec team selects the training modules and conducts the phishing tests. If the HR department or some other department has a training team and there is a corporate LMS, I would have the selected modules loaded into the LMS and the tracking and enforcement of training would be done by HR.
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    Thanks Paul!  Trying to determine the best way to do it.  Our HR department occasionally sends out required training modules through a 3rd party. I guess I can ask them how they'd like to handle it.
  • LonerVampLonerVamp Member Posts: 518 ■■■■■■■■□□
    Our security team handles the phishing testing. We also have input into the training that occurs, however, none of it is actually pushed by us. HR prefers to do this (asking a huge group of people to spend x/y portion of an hour with mandatory something comes with lots of red tape). Most everything also gets passed through a corp communications team who, of course, always has things to change (because otherwise, are you doing your job?).

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
    2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
  • Infosec_SamInfosec_Sam Admin Posts: 527 Admin
    edited April 2019
    I'll go ahead and throw my 2 cents in here. My old job was on a small security team for a company of about 275 people, and my team was in charge of running our phishing program. Since our LMS existed outside of our phishing simulation system, HR handled much of the training while IT ran the phishing sims. Our process looked a little like this:
    1. IT develops security awareness training & delivers to HR
    2. HR provides security awareness training to company
    3. IT runs phishing simulation
    4. HR follows up with users who go phished for additional training
    I think it's tough for IT to hold people accountable when we really don't have the authority to take corrective action. IMO, compliance training is much more in line with HR duties than it is with IT.

    Edit: And I can't just not shout out Infosec IQ if we're talking about security awareness and phishing training. It's basically in the job description!
    Community Manager at Infosec!
    Who we are | What we do
  • LisaPlaggemierLisaPlaggemier Member Posts: 17 ■■■□□□□□□□
    I have a different opinion than a lot of the folks on this thread.

    If the BOOM happens, and it was at least in part due to a human (clicking on a phish, etc.), who is the leadership going to look at?

    HR?  No.
    Corp comms?  No.
    The security team.

    If we have the responsibility to secure our organizations, we also have to have some authority to do the job right, and that means the security folks run the training and awareness program.

    That doesn't mean we don't work with other teams, build good working relationships across departments, leverage other groups to help achieve our goals, etc.  What it means is, we know best how to run training, phishing, awareness, etc.

    If I had waited for HR to fix poor employee engagement before I could work on security engagement, I'd still be waiting.
    If my awareness campaigns had looked like all of our other corp comms, nobody would have paid attention to them.

    For context, I ran a program at a technology company with 9,000 employees in 23 countries.
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    .... If we have the responsibility to secure our organizations, we also have to have some authority to do the job right, and that means the security folks run the training and awareness program. ...
    I don't necessarily disagree - but learning delivery is usually not managed by the security team. The accountability for training doesn't change which is why I believe that the training should be selected by infosec. But that doesn't mean that there are no other parties which may have responsibility - the delivery responsibility IMO is usually more appropriate to be delivered by a training team especially if there's a corporate LMS which can track participation. Personally, I've always involved HR because in the companies that I deal with - security training is mandated and the consequence of failure/refusal to take the training is termination or formal reprimand.
Sign In or Register to comment.