"Are we treating employees with the same seriousness as we are other threats to the organization If you updated your firewall software and virus definitions once a year, people would say that you're negligent," Conrad says.
"It's time to really step up the human element," he adds. "Traditionally, CIOs and CISOs have looked at technology and processes. Now it's time to look at people. They're a very high threat to the organization, but we don't necessarily treat them like any other threat vector. Employees generally want to do the right thing."
Effective awareness training starts with a risk assessment, Conrad says. You need to understand what your most valuable assets are so you can better craft a plan to protect them.
"What are your risks Align your training around those," Conrad says. "You shouldn't give the same training to everyone in your organization. Your executives need certain training that others in the organization may not."
[ Related: 6 tips for your security awareness training ]
Call center employees may need extra training around social engineering risks, while human resources employees may need particular training about handling personally identifiable information (PII).
Conrad notes that the National Institute of Standards and Technology (NIST) Cybersecurity Framework is an excellent foundational document with which to start the process.
Once you know what you need to protect and who needs special training to protect it, you need to craft a program of continuous education around it.
"You can't offer lackluster training for 30 minutes one a year and say it doesn't work," Conrad says. "Why would you expect it to work You need foundational training, but the overall training program needs to be one of reinforcement. You need to look at it as an overall program, not an event."
User behavior analytics can play a key role in a continuous program that adapts to the risks that your employees face. These analytics can provide pop-up alerts when employees engage in certain activities.
"We see you're doing this, be aware that these are the best practices and what you need to watch out for," Conrad says.
"We call it 'just-in-time training' or 'performance-at-work training,'" he adds. "You're disclosing proprietary information to a partner, can I give you education and a checklist of what you should and shouldn't be sharing"
It's also essential to treat your security awareness program as a communication exercise — essentially a change management problem. IT and the security function may not have the skills to make that happen, so Conrad suggests partnering with the training organization or the marketing organization to most effectively get the awareness training across.
"Anytime you can communicate a message to a person and make it personal, you're going to be much better off," Conrad says.
For instance, foundational training could show employees tools and best practices they can use at home to protect their children and other family members. They can then apply those tools and practices on the job.
"That's a very reasonable way to approach it," Conrad says. "Tie in that emotional hook. Make it real and personal."