There was just one problem. Employees weren’t completing the training. After two weeks, only 40% of employees had completed it, and most hadn’t even started. Our CEO had already sent out a message emphasizing the importance of the training and the requirement that all employees complete the training within 30 days.
I didn’t want to do anything that would make me come across as the mean security guy. Instead of escalating the matter to other managers or sending out nasty messages, I got my boss to allow me to expense several hundred dollars’ worth of Starbucks gift cards. I then sent a message stating that I would be giving out gift cards to 20 random employees who completed the training by the end of the third week. And I’ll be damned! Being the nice security guy works sometimes. The completion rate hit 90%. Of the non-compliers, many were out, either on vacation or taking some other valid leave.
For the remaining employees that were in the office, I had one of our new HR representatives reach out to encourage them to complete the training. She employed guilt, explaining that if we didn’t obtain 100% completion, we would not be PCI-compliant, which we need to be in order to grow. Guilt worked too. Within 30 days, all eligible employees had completed the training. And since I had forced all employees to read and attest to their understanding of our security policy and code of conduct prior to completing the course, I knocked out another PCI requirement.
I’ll continue to use the SANS training sporadically throughout the year as needed to emphasize security risks. For example, if there is a sudden surge in phishing attacks, I will require all employees to complete a single module related to email security. That’s what’s nice about having a learning management platform and an easy means to deliver and track training for a large number of employees.
Sign up for Computerworld eNewsletters.