CSO had an excellent article that states the case that you need to get rid of old-school awareness training which you do for compliance reasons only. Their photo illustration was funny as heck - I have it here:
Frederick Scholl said: "October is National Cyber Security Awareness Month. I am hoping you will join me in a national program to kill cybersecurity awareness training programs. I don’t know who came up with the concept of “security awareness training”, but it has reached the end of its utility and should be replaced with something else. Is all we want is for users to be “aware” of security issues? Don’t we want them to be educated enough to be active parts of the solutions? Scholl makes the case for a security culture driven by John Kotter's book "Leading Change" using the Star Model from Jay Galbraith.
"This model emphasizes that five processes need to be implemented simultaneously in order to implement change. Obviously you need a security strategy. You also need to assign roles and responsibilities in the security structure. This needs to include the whole organization, not just the office of the CISO.
You need processes, and supporting technology. Galbraith also includes carrots (as well as the implicit sticks) to motivate people. Finally, we have the people process: training and educating all staff to influence employee mind-set and skills around information security.
Awareness training alone will not be enough to facilitate an organizational change. We need to enable our users to learn about security and how to use it in their jobs."
Hear hear! We could not agree more. Old-school awareness training for compliance reasons have given it a bad rep. If you move to the new-school approach you will see it works like a charm!
Read the whole article here, there is much more:
http://www.csoonline.com/article/3128211/leadership-management/time-to-kill-security-awareness-training.html
Get a one-on-one demo and see for yourself how you can harness your employees and keep your network safe.
