Capensys Solutions to Gartner’s 10 Common Security Awareness Program Mistakes

Many CISOs and security managers struggle to define the vision, objectives and outcomes needed to create an effective cybersecurity awareness program. Consequently, mistakes are made that can lead to negative sentiments across the firm and an under-performing program. By avoiding these common mistakes, your program can be a key component in changing security behaviors across your enterprise.

The following 10 most common security awareness program mistakes were identified by Gartner members. Capensys has responded to these mistakes with practical advice on how to avoid these missteps as well as how the Sentinel program provides solutions.



Mistake Description Sentinel Program Solutions

Lack of Relevant Skills

Those who are asked to lead security awareness programs often have multiple roles within an enterprise and lack some of the necessary skills, such as an in-depth understanding of the security landscape, or how to structure an effective communication program.

The Capensys Security team can educate the program stakeholders on the general security threats, and those that may be specific to the firm.

Our Communication team can provide best practices and communication options to maximize user buy-in and understanding of the program.


No Authority

Individuals who are charged with delivering security awareness and ensuring its effectiveness often lack the authority to do so.

Consulting to help properly define the vision and set expectations with firm executives.

Consulting to help secure executive buy-in and visible support for the program, and the security behavior/principles it espouses.


Symptom Bias

The tendency to focus on symptoms of the problem versus the actual problem. This common error will not address the root of the problem, and will only make the actual problem worse.

Capensys guidance to avoid getting lured in by “easy fixes” that further mask the problem.

Assistance with program planning to ask the questions that focus on the program, not the symptoms.


Boring, Scary Content

Security awareness content is often packaged and delivered in a boring, scary or complex manner. Don’t settle for substandard content.

The Sentinel content is award-winning, engaging, and includes gamification and legal scenarios.

In addition to clear and simple policies, Capensys encourages firms to provide positive reinforcement for the correct behavior.


Unclear Objectives

Lack of clearly outlined learning objectives will limit and possibly prevent your ability to succeed.

Capensys can work with the program stakeholders to conduct a needs analysis to help evaluate the current state of overall user awareness and determine the best focus for the program.


Audience Disconnect

You should know your audience. If you don’t know your audience, you can’t anticipate their needs or authentically connect with them.

As part of the initial needs analysis, the Sentinel team can work with the firm to identify the primary security profiles. These profiles will inform the elements of the overall security awareness program that are provided to the different user groups.


Bad Metrics

Course completion rates do NOT necessarily mean that behavior has changed. You need to validate that your users are actually following firm policies and protecting the firm.

Capensys can help formulate a broad security survey to get a clear picture of the strengths and weaknesses of the different user groups within the firm.

Educational phishing programs can be designed to coach instead of “trap”, and highlight groups within the firm that need additional training.

Don’t be afraid to repeat activities to measure maturity/growth over time.


Misguided Focus

Make changing people’s behavior the main goal of the security awareness program. Otherwise, there is no point in making them aware of security concerns.

Security programs managers can overemphasize reports and metrics. Instead, the focus should be on user behavior.

Gather reports from the Help Desk and your educational phishing campaigns to tailor 9your training. Where you see trends emerge that pose a security threat, be pro-active. Meet with relevant stakeholders to identify the underlying issues, and reach out with supplementary coaching or additional discussions.


Infrequent Reinforcement

Training activities are too infrequent, and training modules are too time-intensive.

The Sentinel modules are short and engaging. A user can start a course and continue it later, as time permits.

Capensys will work with the project stakeholders to plan a 12-month awareness program that includes training and monthly/quarterly reinforcements.


Failure to Reward Success

Don’t just focus on what not to do. Reward employees for demonstrating secure behaviors.

Capensys promotes a best practice of broadcasting security “wins” to the firm. Call out users on a Security Hall of Fame for their contributions.

There is a positive payoff in seeing peers undertaking good policies. Encourage users to quickly report security concerns and assure them that sooner is better than later.