- Major Studies
Security training is a business best practice that involves the training of all IT and user personnel in a company’s security policies and procedures to increase awareness and ensure compliance. It is a highly advisable practice for every company. However, too many adopters are only conducting security training in an informal manner, which can have dire consequences.
As shown in Figure 3 from our full report, Security Training Adoption and Best Practices, only 40% of our survey respondents indicate that they conduct security training formally and consistently, while 28% practice it formally but inconsistently, and 18% practice it informally. Another 11% of survey respondents are still implementing security training for the first time. The remaining 3% admit that they do not conduct IT security training at all.
Security policies must be supported by formal and consistent training of staff on the various threats they face, how they should respond, and what the company expects from them in terms of compliance. Training helps to ensure that employees do not create vulnerabilities by neglecting policies and procedures or by taking short cuts.
When it comes to the training of all IT personnel and employees in a company’s security policies, procedures, and best practices, a set of questions must be answered to be sure a company is following the practice formally and consistently. Our full report provides a suggested list of self-assessment questions. For example: Do you have comprehensive security policies in place? Do you onboard new hires to these policies? Do you update your security policies regularly and conduct regular refresher training? Did you change your security training after COVID-19 hit? And do you hold executives to the same level of training and policies as other users?
“Just having security policies and procedures in place is not enough to protect information systems and data,” said Tom Dunlap, director of research for Computer Economics, a service of Avasant Research, based in Los Angeles. “You have to follow through with training—and not just when someone is first hired. Periodic security training raises awareness and sends the right message that the organization takes those policies and procedures seriously.”
The good news is that security training has a high practice maturity rating this year, our first year of tracking this best practice. Its maturity rating is high relative to all the other best practices studied in our annual IT Management Best Practices study. However, the number of survey respondents consistently and formally conducting security training falls far short of the number practicing it to some degree. Thus, existing training programs should be evaluated to determine where they can be improved.
In our full report, we study the adoption and practice levels for security training and examine those by organization size and sector. As noted previously, we also include a set of self-assessment questions, and we conclude with recommendations to effectively carry out security training.