Capensys Solutions to Gartner’s 10 Common Security Awareness Program Mistakes

Many CISOs and security managers struggle to define the vision, objectives and outcomes needed to create an effective cybersecurity awareness program. Consequently, mistakes are made that can lead to negative sentiments across the firm and an under-performing program. By avoiding these common mistakes, your program can be a key component in changing security behaviors across your enterprise.

The following 10 most common security awareness program mistakes were identified by Gartner members. Capensys has responded to these mistakes with practical advice on how to avoid these missteps as well as how the Sentinel program provides solutions.



Mistake Description Sentinel Program Solutions

Lack of Relevant Skills

Those who are asked to lead security awareness programs often have multiple roles within an enterprise and lack some of the necessary skills, such as an in-depth understanding of the security landscape, or how to structure an effective communication program.

The Capensys Security team can educate the program stakeholders on the general security threats, and those that may be specific to the firm.

Our Communication team can provide best practices and communication options to maximize user buy-in and understanding of the program.


No Authority

Individuals who are charged with delivering security awareness and ensuring its effectiveness often lack the authority to do so.

Consulting to help properly define the vision and set expectations with firm executives.

Consulting to help secure executive buy-in and visible support for the program, and the security behavior/principles it espouses.


Symptom Bias

The tendency to focus on symptoms of the problem versus the actual problem. This common error will not address the root of the problem, and will only make the actual problem worse.

Capensys guidance to avoid getting lured in by “easy fixes” that further mask the problem.

Assistance with program planning to ask the questions that focus on the program, not the symptoms.


Boring, Scary Content

Security awareness content is often packaged and delivered in a boring, scary or complex manner. Don’t settle for substandard content.

The Sentinel content is award-winning, engaging, and includes gamification and legal scenarios.

In addition to clear and simple policies, Capensys encourages firms to provide positive reinforcement for the correct behavior.


Unclear Objectives

Lack of clearly outlined learning objectives will limit and possibly prevent your ability to succeed.

Capensys can work with the program stakeholders to conduct a needs analysis to help evaluate the current state of overall user awareness and determine the best focus for the program.


Audience Disconnect

You should know your audience. If you don’t know your audience, you can’t anticipate their needs or authentically connect with them.

As part of the initial needs analysis, the Sentinel team can work with the firm to identify the primary security profiles. These profiles will inform the elements of the overall security awareness program that are provided to the different user groups.


Bad Metrics

Course completion rates do NOT necessarily mean that behavior has changed. You need to validate that your users are actually following firm policies and protecting the firm.

Capensys can help formulate a broad security survey to get a clear picture of the strengths and weaknesses of the different user groups within the firm.

Educational phishing programs can be designed to coach instead of “trap”, and highlight groups within the firm that need additional training.

Don’t be afraid to repeat activities to measure maturity/growth over time.


Misguided Focus

Make changing people’s behavior the main goal of the security awareness program. Otherwise, there is no point in making them aware of security concerns.

Security programs managers can overemphasize reports and metrics. Instead, the focus should be on user behavior.

Gather reports from the Help Desk and your educational phishing campaigns to tailor 9your training. Where you see trends emerge that pose a security threat, be pro-active. Meet with relevant stakeholders to identify the underlying issues, and reach out with supplementary coaching or additional discussions.


Infrequent Reinforcement

Training activities are too infrequent, and training modules are too time-intensive.

The Sentinel modules are short and engaging. A user can start a course and continue it later, as time permits.

Capensys will work with the project stakeholders to plan a 12-month awareness program that includes training and monthly/quarterly reinforcements.


Failure to Reward Success

Don’t just focus on what not to do. Reward employees for demonstrating secure behaviors.

Capensys promotes a best practice of broadcasting security “wins” to the firm. Call out users on a Security Hall of Fame for their contributions.

There is a positive payoff in seeing peers undertaking good policies. Encourage users to quickly report security concerns and assure them that sooner is better than later.

Increasing Engagement in Your Security Awareness Program – ILTA Blog: 1/10/18

John M. Attinger, Director – Security & Training at Capensys, and Steve Williams, Director of Strategic Partnerships at MediaPro

Debate will and should continue about what role individuals and employees should play in the security effort. What is no longer a debate is that an individual’s decision making, when it comes to handling data, transferring information, and protecting devices, can have a major impact on an organization of any size. In today’s hyper-connected world there is an ongoing clash between personal and professional tasks – an individual’s digital life and their attention is often distributed across a number of personal and professional devices. These interconnected variables have created an environment in which a single connection to a rogue network or just one poor decision with a malicious attachment can result in an array of incidents ranging from ransomware to credential theft and many things in between.

Though controls, policies, and system defenses will always play a critical role in minimizing or reducing the impact of these incidents, it’s time for firms to fully embrace the positive influence that encouragement and involvement can play when it comes to the security and privacy decisions that people make.

At its core, technology can accelerate productivity and improve both life and business experiences. In-person meetings and bland voice based teleconferences have been augmented and are often entirely replaced by interactive “virtual” meetings that allow for live collaboration, screen sharing, and live video feeds. Search engines and social networks are turning phone books into historical artifacts, and seeing a person without a mobile device is becoming an anomaly. Hailing a cab in the rain while shivering? All but gone – there’s an app for that. People are willing to rapidly adopt any technology that they perceive will make their life a better or even more enjoyable. These technologies are good; actually, they are great and have positively transformed the way we work and what we are capable of producing.

So why is it such a struggle to get users to adopt basic behaviors and best practices that can virtually eliminate the damage done by the usual suspects: phishing, social engineering, and even lost devices? There’s no single answer. Were it that easy, we’d all be one blog post or software license away from the “cure” (hint: be very suspicious of anyone that claims to have the cure!). Having collaborated on countless security awareness/data privacy programs for the past 4 years, I’d contend that our messaging and approach still needs some work. If our goal is actual behavior modification, it would be nice if we could sit back at a safe distance and steer people towards the light only using tools like phishing simulators, online training, and email based security alerts. While these tools play an important role in raising visibility and increasing competency, they are not a replacement for the life blood of any effort to drive change: personal engagement.

Our colleagues that are not in direct security/risk/compliance roles don’t wake up every morning thinking about data loss or privacy breaches, like us. Our colleagues don’t open email messages at all hours and study the headers and IP details to determine the source of the strange message, like us. Our colleagues also do not head into a job performance review thinking about how their ability to protect company information and trade secrets from outsiders will be evaluated; maybe they should, but they don’t. Hoping that we can change these behaviors “remotely” is running face first into a stiff wind. We need another approach to drive the type of change that makes a meaningful difference. Can we learn from other examples where people commit time, devote energy, and take action on projects that are not associated with their core job function? Yes.

Company based health and wellness programs, community service projects, and fund raisers are excellent examples of activities that occur with frequency and success within organizations of all sizes. Most of these activities share a common quality: they are optional; people can choose to commit or flat out ignore them. A former colleague of mine recently described a pre-work event – dozens of female colleagues met with over a hundred young girls from a variety of local schools at a career discover event. They met, talked, and shared professional career path options with the young stars… unpaid and optional, but very well attended. What was the driver? Engagement. The program was spearheaded by several individuals who relentlessly recruited internal team members to commit and attend, and reached out to the school community. The result – a successful event that had real impact.

So, what do the outcomes of security engagement look like? Last month a colleague in a law firm overheard a counterpart complaining to a peer about the IT Department. The complaint? IT had started renaming his client folders on a shared drive using hexadecimal codes and complex character strings. The colleague commented that it was highly unlikely that IT would rename his folders without prior notification, and asked to see an example. He immediately called the security team who discovered that ransomware file encryption was actively underway. Should there have been an automated alert or preventative control to stop the file encryption? Probably. But when a control falls short or something unusual occurs, an employee that is engaged will act while the employee that is unengaged will tune out the colleague’s conversation about renamed folders.

Security and privacy engagement is a contact sport, not a remote activity. You can’t move behavior and drive change in the absence of shared ownership and a team that is committed to helping drive the message. Sending a fake phishing email to colleagues is a security awareness activity and one that can play a role, but getting involved with influential members of your organization to earn buy-in and gain support and mindshare for your security and privacy program is real security engagement. So are town hall sessions that paint an accurate picture of the threat landscape, the firm’s vulnerabilities, and the drivers behind the “push” for security (esp. the firm’s clients). And speaking at attorney lunches and secretary meetings, or hosting a “Security Awareness Month.” Even better – pushing pinpoint optional micro-learning to your users when a real-world security event, such as the Wannacry ransomware attack, is top of the news. And when a user does the “right thing” and demonstrates engagement with security awareness, celebrate the win to your wider user community. The outcomes of these types of security engagements are the game changers that we seek.

“For additional insight on security awareness engagement, Capensys hosted a webinar titled How to Build & Maintain an Engaging Program (with everything else that you have to do!).”

Robinson Bradshaw Achieves LTC4 Certification Using Capensys Courseware

Why LTC4?

Robinson Bradshaw wanted to implement a firmwide training program, focused on competency ‎based performance standards, evaluation and ongoing training, that would have a meaningful impact ‎on firm’s morale and productivity.  The program offers the opportunity to become ‎‎“certified” in various core competencies, and Robinson Bradshaw saw this as an opportunity for staff to grow and develop new and better ‎skills.

Greg Tomlinson, Training and Development Coordinator, first heard of the LTC4 core competencies from his LMS content provider, Capensys (an LTC4 Founder).  He attended a LTC4 webinar and got excited about what it would mean for the firm.  He worked closely with Capensys in obtaining strategies for stakeholder buy-in and possible future rollout.

The Buy-In

Pam Sachs, Director of Human Resources, stated:

“LTC4 initially came to my attention through our in-house trainer in the fall of 2014.  My immediate reaction was that maybe this would finally be a solution to the incredible need in law firms for better skills to support law firm efficiency, both at the lawyer and staff levels.  They sold me because they were focusing on workflow processes (not just software knowledge) and creating an environment of continuing skills development. We believed the staff and attorneys would take a fresh look at the new training tools with the ability to learn at their desk or at home on their own schedule.

Internally, we have been on track with our customized LTC4 training since the spring of 2017.  Staff acceptance of the training, assessments and certifications have exceeded our expectations and, based on that success, we are hoping to incorporate the attorney groups in the near future.”

Geoff Rhodes, Director of IT, stated:

“Our lawyers and staff were attending training classes, but we needed to know if they were retaining the information and using the applications efficiently.  Enter LTC4.  This program allows us to perform assessments to determine individual knowledge gaps.  Based on those gaps, customized training can be created to further educate those identified as needing assistance.  The established legal technology core competencies help us measure staff productivity improvements, and the certification creates a sense of accomplishment to be proud of.”

Alan Menius, Executive Director, stated:

“We view LTC4 as a valuable tool in our ongoing efforts to better define work processes in our practice support team, define core competencies, and recognize individual and group progress toward those goals.”

The Rollout

Greg Tomlinson led the charge with PowerPoint presentations, marketing and demos of the learning plans.  He decided to update their LMS page to Robinson Bradshaw University (including new Capensys content) and incorporate the LTC4 rollout simultaneously.  With help from Capensys, he broke out each core competency skill and created learning plans in the LMS of the videos and assessments for easy viewing and tracking.  Many of the users were able to test out by just completing the Capensys KnowledgeCheck.

As of this date, Robinson Bradshaw has completed the Managing Documents and Emails and Working with Legal Documents learning plans. Presently, the entire firm is undergoing the certification process for Security for Lawyers learning plan and in early 2018 will be rolling out Collaborating with Others to the staff.

The Firm

Robinson Bradshaw is a Carolinas-based corporate law firm with national practices. We provide comprehensive legal services to businesses ranging from startups to Fortune 100 companies.

Visit for more information.


Gordon & Rees IT Skills Improvement and LTC4 Certification Using Capensys Courseware and Tools


In October of 2016, Tanya Vawter, Training Manager at Gordon Rees Scully Mansukhani, LLP, along with her training team of 3 people, began a continuous performance improvement initiative that would provide top-notch online training to attorneys and staff in their 35 plus offices spread across the US. They also wanted to provide that same level of training to the 4 -10 new hires that arrived each week. They were members of LTC4 and were already using the Capensys LMS and LTC4-aligned courseware. The LTC4 certification program was launched to all offices with the intention of fostering ongoing up-skilling.


Here are the stats showing their considerable achievements:

Certifications, Learning Plans and Courses

  • 59 LTC4 Legal Professional Certifications have been earned by Attorneys.
  • 229 LTC4 Legal Support Specialist Certifications have been earned by Staff Members.
  • 1557 Ongoing Monthly Learning Plans have been completed by Attorneys and Staff Members over the past year
  • 32,482 Computer Based Training (CBT) courses were completed on the Capensys LMS within the past 12 months.

How they did it

Tanya describes their LTC4 continuous performance improvement program as follows:

We use Capensys courseware and LMS to run our ongoing learning program and also to implement our new hire onboarding.  For new employees, we have each person take a short survey (using Capensys Pathfinder). We use this information to craft a customized learning plan for each user.

For ongoing learning, each month separate LTC4 learning plans for attorneys and staff are published to the LMS. We announce the release of the new learning plans each month via e-newsletter.  Employees are assigned either the staff or the attorney plan, as appropriate.  The learning plans combine CBT courses and KnowledgeChecks to prove skills.

We also publish a KnowledgeCheck-only package for those who wish to ‘test out’ of the training.  Each month’s plan is built with a portion of the courses required for LTC4 certification.  That way employees will earn LTC4 certification in 2-4 months (depending on the specific certification being worked toward that month).

We also have some employees who’d rather earn certification faster.  For those people, we publish the full learning plans to earn LTC4 certification. (Again, we also publish a KnowledgeChecks only plan as well).  As of October 2017, we have 5 different certification learning plans available.  Next month, we will add a 6th.

We have 4 categories of learning plans for new hires:  Attorney, Admin, Paralegal and Secretary.  Within each category, specific topics are customized for each individual user based on the answers to their Pathfinder questions. The end result is a list of assigned CBT and suggested instructor-led courses.  This information is also shared with the Office Administrator for the employee’s office.  We provide monthly reports so that the OAs can track completion for the people in their office. As we are 3 people supporting 35+ offices, we put the onus on the OAs to track and manage completion.

At the end of each month, we run reports to see who has completed LTC4 certifications that month.  We then email that information along with the forms LTC4 requires.  About a month later we get a PDF of the certifications.  We then print physical certificates and send via interoffice to each employee.

We market LTC4, Ongoing Learning and the LMS on an almost continuous basis.  We send out a weekly Tech Tips style newsletter which links to courses or documentation in the LMS.  At the end of almost every instructor-led class we show the LMS and how to use it to find CBT courses and tip sheets to review the current class topic.

On a monthly basis, we send out a list of who has earned LTC4 Certifications, what LTC4 Certifications are available, and also a reminder that the new monthly learning plans are available.  We always include links to the original program announcement as well as links to the LTC4 site.

The response has been very positive. Our users like the immediacy of the CBT courses.  They also like that they are earning certification which is attached to the individual rather than the firm.  We’ve had around 300 LTC4 certification earned over the past year.  We’d like this to be higher next year, so we are always looking into new ways to motivate employees.  (Next month we are pushing jars of jelly bellys for anyone who has earned all 6 certifications)

As mentioned, my training staff consists of 3 people. Without the Capensys LMS and courseware, it would not be possible to provide training and support to so many people.  We rely heavily on CBT courseware. We also use the LMS to publish our calendar of WebEx live classes and manage registrations, etc.

About Gordon & Rees

Gordon & Rees was founded in San Francisco in 1974 by Stuart Gordon and Donald Rees, both of whom maintain practices and are active in the life of the firm. In just over 40 years, Gordon & Rees has grown from a small defense firm to a national litigation and business transactions firm with more than 800 lawyers in 46 offices throughout the United States, including lawyers admitted in Canada, Mexico, and Hong Kong.

An AmLaw 200 firm, Gordon & Rees is recognized among the five fastest-growing law firms in the country.  Responding to the needs of their clients, Gordon & Rees continues to add and deepen its national practices and pursue additional office opening opportunities when it best serves their clients’ needs.

About Capensys

Capensys Ltd. is a full-service training company for law firms. Capensys provide all types of training for the legal industry including classroom trainers, webinars, on-line learning, evaluations and a security awareness program. The Capensys training philosophy is to link training to achieving business goals. Capensys are also Vendor Members of the Legal Technology Core Competencies Certification Coalition (LTC4). Capensys are iManage and NetDocuments Certified Training Partners. To learn more about Capensys please visit

About LTC4

LTC4 is a non-profit organization, that has established legal technology core competencies and certification that all law firms, law schools and legal departments can use to measure ongoing efficiency improvements.


NetApp’s Legal Department receives LTC4 certification using Capensys courseware

LTC4 and Capensys are pleased to announce that NetApp’s Legal Department has become the first in-house legal department to receive LTC4 certification.

LTC4 (Legal Technology Core Competency Certification Coalition) Learning Plans provide an industry standard method of assessing technology skills which law firms, legal departments and law schools can use to structure training programs. Today’s attorneys and staff need to be able to demonstrate and prove competence and efficiency with technology.

NetApp’s legal department brings innovative, bold and efficient solutions to meet the needs of the business. The team leverages new technologies to drive efficiencies and foster continuous improvement.

“Our goal is for team members be offered the opportunity to receive LTC4 Certification across platforms, as well as in the Security Awareness domain. We worked with LTC4 Provider Member Capensys in achieving these certifications,” says Connie Brenton, NetApp’s Chief of Staff & Senior Director of Legal Operations and CEO of CLOC (Corporate Legal Operations Consortium). “This is the start of something big. We will see more innovation-oriented in-house legal departments pursue LTC4 certification in the months ahead.”

For more information about LTC4 go to our website or email


Capensys is now an iManage Certified Training Partner

August 8, 2017

Capensys is delighted to announce that they have formalized their long-standing relationship with iManage by becoming an iManage Certified Training Partner in North America and EMEA. This partnership offers clients the assurance that training provided by Capensys reflects iManage best practices to ensure optimal user adoption.

Capensys and iManage training strategies are closely aligned in that both companies advocate providing learning and support tools designed to help users work. Capensys facilitates this by offering training tools to allow personalized delivery, along with targeted on-line videos, exciting marketing materials and experienced trainers.

“We are delighted to have Capensys join as certified training partners,” said Dean Leung, Chief Customer Success Officer, iManage. “Capensys is a firm known for being international thought-leaders who use a training methodology which is closely aligned to our own best practice recommendations. The Capensys team have extensive experience of document management implementations and have proved that they have detailed understanding of how to assist our customers, both in law firms and corporations.”

“Capensys has worked on many successful iManage rollouts and we are thrilled to have been awarded the official partnership and certification in recognition of our training and strategy implementation expertise,” said John Attinger, Capensys Director of Training and Security.


FordHarrison Certified in ‘Security for Lawyers’ by the Legal Technology Core Competencies Certification Coalition

Capensys is pleased to announce that another Sentinel client has certified in the LTC4 Security Learning Plan.

FordHarrison LLP, one of the country’s largest management-side labor and employment law firms, is pleased to announce that 100 percent of the firm’s legal professionals have been certified in the “Security for Lawyers” Core Competency Learning Plan by the Legal Technology Core Competencies Certification Coalition (LTC4TM).

Participants were asked to complete a series of assessments testing their knowledge and skill level concerning different aspects of cyber security. There are currently 10 Core Competency Learning Plans offered by LTC4, including “Security for Lawyers.”

Read more

Fladgate builds IT competence to improve client service using Capensys LTC4-approved courseware

In September 2015, Fladgate introduced LTC4 up-skilling and certification using the Capensys courseware and skills evaluation tool. This continuous performance improvement program has been successfully maintained for the past 18 months and is still going strong.


Why LTC4 and Capensys?

Fladgate’s principal goal was to ensure that they achieved a consistently high-level of IT competence in areas that were useful to lawyers and support staff.  They wanted an innovative, workflow-based learning program that focused on the day-to-day work of lawyers and staff.  They also needed a robust long-term solution to ensure that they could build on initial successes.

After researching a variety of options, they were pleased to find that the competencies covered by the LTC4 certification program mirrored those that they had already identified via their initial training needs analysis.  They were also impressed by how the modules focused on the workflows that lawyers undertake on a daily basis.

Another advantage was that LTC4 required skills could be taught, and proficiency measured, via Capensys courseware and evaluations tools. The Capensys Goal-Based Approach ties training to business and user goals and delivers training modules that are process-driven rather than application driven.  This approach was perceived as very flexible solution, allowing lawyers to learn when and where they wanted to do so, rather than via fixed classroom sessions.

The LTC4 Up-Skilling and Certification Program

Michael Wells, the senior trainer at Fladgate led the charge, and it’s been 18 months since the program launch. As of this date, they have completed the Working with Legal Documents learning plan. Michael estimates that over 90% of the firm are now certified in Working with Legal Documents.

In just a few weeks, Michael will begin the certification process for the LTC4 Security learning plan using the Capensys Sentinel security awareness modules.

The third learning plan, Working with Documents and Emails, is already planned, developed, and ready to go. It will be launched later in the year - around July or August.

 Training Gains

According to feedback from stakeholders and users as well as observing performance in the workplace, some of the significant training gains Fladgate has seen are:

  • More interest from users in IT training and the benefits of learning to streamline their workflows
  • More interest in self-learning — using e-learning content as just-in-time learning rather than ringing the helpdesk
  • Attorneys have become more self-sufficient when creating documents, causing a reduction in basic revision requests — this allows secretaries and others to focus on major document production
  • A measurable difference in improved efficiency in document creation and editing and the substantial reduction in “how do I?” Help Desk calls

Michael was pleasantly surprised when “Contrary to expectation, tutorials and assessments are undertaken at all times of the day and night. People are really using the flexibility to train when it suits them.”

About Fladgate

Fladgate is first and foremost, experts in law. Many of their lawyers are recognized leaders in their field. They serve their clients as partners in business with a focus on implementing practical solutions that deliver results. Fladgate offers advanced legal expertise across all major legal specialties, combined with a detailed understanding of the dynamics and pressures of their clients’ business sectors.

About Capensys

Capensys Ltd. is a full-service training company for law firms. Capensys provide all types of training for the legal industry including classroom trainers, webinars, on-line learning, evaluations and a security awareness program. Capensys training philosophy is to link training to achieving business goals.  Capensys were also the founders of the Legal Technology Core Competencies Certification Coalition (LTC4). To learn more about Capensys please visit

About LTC4

LTC4 is a non-profit organization, that has established legal technology core competencies and certification that all law firms, law schools and legal departments can use to measure ongoing efficiency improvements.



Capensys Provides CLE and LTC4 Certification for Sentinel Security Awareness Training

Capensys is pleased to announce that our Sentinel Security Awareness Program is now approved for 1 hour of CLE credit. This accreditation covers all of the formats of our security awareness training:

- Online e-learning
- Town hall meetings
- Recorded town hall meetings

We currently have CLE accreditation in New York, California, Florida, Texas, Minnesota, Missouri, Georgia, and have verbal approval (with follow-up) for the following jurisdictions:

- Nevada
- Mississippi
- North Carolina
- Virginia

Would you like to receive accreditation in your jurisdictions?  We can help!

Would you like to achieve LTC4 (Legal Technology Core Competency Certification) at the same time? Our security awareness courseware is approved for LTC4 certification in Security.

To learn more about the Sentinel security awareness program, please contact: