What’s next for your security awareness program?
When I talk to CISOs or security awareness professionals, I frequently hear the same frustration about the results of their awareness programs. The supposed awareness programs have been a place for a year or more, and they have not yielded noticeable results, and in many cases seem almost useless, as user created incidents seem to continue to increase. When I ask them to describe their programs, what I get are descriptions of components of an awareness program and not a program itself. They describe computer-based training (CBT), and sometimes phishing simulations.