If you hadn’t noticed by now, we are in the first week of National Cybersecurity Awareness Month, which, according to the Cybersecurity Infrastructure and Security Agency in the United States, means that we should all consider how people, organizations, and businesses can “be cyber smart” this year and ahead.
While there are countless ways to interpret exactly how to “be cyber smart”—like adopting cybersecurity best practices around strong password use, two-factor authentication, and remote desktop protocol ports—we at Malwarebytes Labs wanted to take a step back and consider: How do you train people to be cyber smart in the first place?
After all, cybersecurity training is likely the first and most important step in cybersecurity awareness, whether at home or in the office. But developing engaging, actionable cybersecurity training programs can be a difficult endeavor, as those who develop the training have to potentially meet their organization's compliance requirements while considering their audience’s interests, needs, awareness level, and time available to actually complete training programs.
To better understand how to make smart, engaging cybersecurity training, and to help businesses everywhere roll out their own, we asked Kelsey Prichard, security awareness program manager at Malwarebytes, to share her insights. At Malwarebytes, Prichard develops the security awareness programs and compliance training for the company’s employees—which are sometimes affectionately called “Malwarenauts.” She has developed seven “microlearning modules” and one security compliance training course—with another soon to come—and she has organized multiple in-house security webinars.
Prichard’s programs have also taken advantage of what she described as a “playful culture” at Malwarebytes, as each October, she has structured the annual security training to be “based around a different popular sci-fi movie.” The themed training programs have found a perfect home at the company, as its Star Wars-themed Santa Clara headquarters includes multiple conference rooms named after popular characters and its hallways are adorned with plenty of movie art.
The following Q&A with Prichard has been edited for clarity and length.
When you first joined Malwarebytes, you were tasked with something quite intimidating: Developing a cybersecurity training program for hundreds of company employees. Where do you even start with a task this large?
This was quite the challenge, as this role was my first formal introduction to the world of security. My background’s in learning and development, and I used to work for Tesla developing their body repair training. So much of the material was new to me. Luckily, the security team here is fantastic and gave me a lot of the security frameworks I needed to get started. I think being a “beginner” in security helped give me a clarity I’m not sure I would’ve had otherwise. The first few months consisted of a lot of Googling, online training courses, and trial and error. As I learned, I developed courses and wrote down ideas. It was extremely important to me that I didn’t start a program that people didn’t want, nor were interested in, so a huge aspect of that was learning how to make it fun. Malwarebytes has a lot of very smart individuals, and this is a security company, so I had to develop content that was interesting and yet also met compliance requirements, so everyone took training in a timely manner
How did you measure the cybersecurity familiarity of Malwarebytes employees to ensure that the training programs you built would fit their level of understanding?
We have a huge range of security knowledge here at Malwarebytes, so we’ve tried to incorporate variability in the content we upload. Some formats, like our training modules, are catered to Malwarenauts who may have less security understanding, while others, like our monthly webinars, are more technical. We also have a Security Champions program where our security experts in the company come together to learn from each other and our security team so that they can help educate their fellow Malwarenauts. There are some things, however, like our compliance training that we need to roll out to everyone, so this needs to cover a broad spectrum of security knowledge.
How did developing these training programs specifically for employees at a cybersecurity company influence, if at all, the development process?
Lucky for me, working at a cybersecurity company has meant more engagement in security training than you’d see at other companies. However, it also makes our mandatory trainings more difficult since we have such a broad level of security knowledge and it’s odd knowing that you may be training someone with more security knowledge than yourself. That being said, I really love that there are so many people around me that are knowledgeable and excited about cybersecurity. It means I have a lot of people to learn from and I get a lot of support from upper management, but it was definitely intimidating at first!
When deciding what topics to prioritize, I imagine you had an enormous list. Can you describe what was on that early list?
Yes! The first thing I needed to do was set up our first annual security training, which was easy to prioritize for compliance reasons. Cybersecurity Awareness Month was also a big priority because I used it as the launch of our security awareness program and it’s the optimal time to make a big deal of cybersecurity. Creating a plan for the year on topics to be covered was also very helpful, as it allowed for getting the expert speakers for those topics. It requires a lot of coordination.
How did you narrow down the first few topics you developed training programs for? Why did you choose those topics?
My security teammates were hugely valuable. They were aware of the biggest threats to our organization, so I initially developed training to highlight and help our employees prevent these threats from occurring. From there, we really wanted to cover the “cybersecurity basics” to set a knowledge groundwork for all employees.
In developing the training programs, was there any practice you knew you wanted to avoid?
I am very aware that “learning fatigue” is easy to succumb to with mandatory training modules. Because of this, I wanted to ensure that all training programs were split up to take no longer than 15 minutes at a time. This is why you’ll see our mandatory training is 30 minutes in total, but is split into three separate courses that are combined into one learning plan. This gives learners the option to complete a course and return to the learning plan as needed.
I also aim for story-based training, where it makes sense, to simplify otherwise complex content and make it relatable.
Finally, what is your top tip for other cybersecurity trainers who want to make smart training progrmas for their organizations?
Keep it engaging. I think as cybersecurity trainers we tend to get wrapped up in what the content is and forget how crucial it is to make the learning entertaining. If your audience doesn’t engage in the training you create, all it’s doing is checking a compliance box.