Planning a security awareness training curriculum for the organization is one of the core activities our customers engage in each year. Planning ahead and automating tasks helps streamline SAT programs, ensuring timely training roll-out and leading to higher completion rates. Along with good timing, delivering relevant training content for different user groups helps keep security training more meaningful, boosting its impact.
We’re adding tools, features and content to Hoxhunt that make an awareness program manager’s work easier. Sometimes it’s powertools like document-to-training AI content generation, sometimes it’s adding highly industry-specific training content, and sometimes it’s simply making sure the basics are covered as well as possible.
Let’s look at an example awareness manager’s training curriculum for the year. How do they set it up, how does Hoxhunt help them reach their users, and how to they serve the best possible content.
Serving the right training content at the right time
Sammy is the awareness manager at Example Corp. Sammy knows the organization’s security training needs throughout. Here are the most important points:
- All new employees must complete security training as part of their onboarding
- All employees must complete an annual security review before end-of-year
- All software engineers must complete training on secure web development
- All remote employees must complete work-from-home related security training
Sammy has several other responsibilities as well. They want to champion a security-positive culture, so they need time throughout the year for other activities. Their time cannot be consumed by just training creation and follow-up.
Let’s see how Sammy can setup and automate much of the awareness training tasks.
Setting-up the training curriculum and delivery
To address all the most important training points, Sammy jumps into the Hoxhunt platform.
First, it’s time to set up security training for new employees.
Training for new employees
In Hoxhunt, Sammy creates a new Training Package. The training package defines all the relevant content and settings for delivering training.
For training content, Sammy selects five lessons from the library’s Security Awareness Essentials topic. This topic’s lessons are specifically designed to work as the baseline, essential training content.
Since the training is for new employees, Sammy set’s the training package’s targeting to only be delivered to new employees who are added to Hoxhunt.
New employees should complete this during their onboarding, so Sammy set’s a relative completion deadline to be four weeks after assignment. Whenever a new employee is identified, the Essentials training is assigned and the employee has four weeks to complete it.
New employees might be quite busy with other onboarding tasks, possibly forgetting the training. The training is important for the organization’s security, so Sammy enables automatic weekly reminders sent by Hoxhunt until the training is completed.
Done. Whenever a new employee is added as a Hoxhunt user, security awareness trainining is automatically assigned to them, and automatic reminders help ensure they complete their training.
Next, Sammy sets up the annual security review.
Annual security review
This one is quick. Sammy has a solid playbook for the annual review, and can reuse most of the previous year’s lessons. However, the company’s VPN provider has changed, so Sammy quickly edits the relevant lesson to change the text to refer to the new VPN provider.
Again Sammy creates a new training package. This training applies to all employees, so no targeting needs to be specified. (Note: a single annual training works for all Example Corp. employees. In some cases, companies might create separate security reviews for “white-collar" and "blue-collar" workers, which would require targeting or different training delivery methods.)
Sammy wants people to complete the training towards the end of the year, so the training is scheduled to be assigned on November 1st, with a deadline on November 30th. This still leaves all of December to ensure any employees miss the deadline complete the training.
Just in case, Sammy again enables weekly reminders. Since this training is mandatory for compliance requirements, Sammy also enables Manager reminders: employee’s managers will get notifications if their direct reports have overdue training. This means Sammy will have all the managers assisting in ensuring full completion rates.
Then, Sammy jumps into department-specific training.
Training by department and job function
Sammy has a training requirement specific to the Technology department’s engineers: All software engineers must complete training on secure web development.
The relevant training will consist of the lessons under the Open Web Application Security Project (OWASP) topic, and Department level targeting is set to “Technology” and Job function targeting to “Software Engineering”.
Finally, Sammy sets up training for remote employees.
Training for remote workers
For employees working from home, it’s important that the employees pay attention to device security, working in public spaces, and securely accessing company files.
Sammy’s create a training pacakge with lessons from the Working Remotely / From Home topic.
To send the training only to remote workers, Sammy sets Site as “Remote” in the targeting options.
Sammy is now done. The most important points of the organization’s security awareness training are now covered. Training is set up to be assigned automatically with notifications to the relevant users, and automated reminders will ensure employees complete the trainings in due time.
For the rest of the year, Sammy can focus on culture building activities and giving more personal assistance to users and groups that need it the most.
Ensuring proper targeting of content
In the examples above, the awareness manager relies on having accurate information on each employee, including department, site, starting date, and—for the reminders—the direct manager’s email.
In Hoxhunt, customer organization’s can easily synchronize user information into Hoxhunt from their provisioning system like Active Directory. But sometimes, the information in the provisioning system might not be as up-to-date or accurate as the employee information in the Human Resources Information System (HRIS).
Hoxhunt supports integrating with HRIS providers to pull in employee information from the HR system to complement or fix user data in the provisioning system. When employee information is accurate and matches the data used in everyday work, training delivery and targeting works much more seamlessly.
Currently supported HRIS integrations are: Workday, BambooHR, HiBob, and SAP SuccessFactors.
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt