What is the Trigger Event for Implementing Security Awareness Training?

Trigger events are the leading cause for implementing a security awareness training program. After all, most organizations don’t just volunteer to spend money until they experience some type of problem. Security investments are hard to communicate and building a case becomes even more difficult without a trigger event.

A trigger event is a situation impactful enough to cause a reacting event or encourage a behavior change. Most of these negative events lead to positive results — or at least eventually do.

Think of a trigger event you have faced in your life. Have you hated your job so much that you decided to make a career change? Gotten into a car wreck and become a safer and more cautious driver? Been bitten by a radioactive spider and gained superpowers? These are all trigger events that caused a dramatic shift or change in our lives.

Whether you realize it or not, implementing a cyber security awareness training program in an organization is no different. It is almost always triggered by an event and I’ll give you a hint, it’s not because the organization wants to be more secure.

Cyber security triggers

We wanted to get to the bottom of why people start investing in cyber security awareness training. The co-founder of Curricula, Nick Santora (CISA, CISSP) started this survey on LinkedIn.

Based on the survey results, 93% of the responses showed that their security awareness journey originated from a trigger event. Let’s break down the trigger events that are most likely to influence organizations decision to become more secure:

• Compliance Crisis: The most common reason to invest in cyber awareness training is to meet required compliance regulations such as SOC 2, HIPAA, and PCI.
• Hacking Havoc: Organizations of all shapes and sizes are at risk of being hacked. Hacking can result in cyber threats such as ransomware, malware, and data breaches. All of which can be detrimental financially to your business. Being hacked is the cyber equivalent of taking a cold shower, it wakes you up.
• Vendor Vow: Many partnerships or vendor relationships (especially for SaaS organizations) that handle customer data require organizations to provide proof of their cyber education and investment to protect themselves before entering into a contract.
• Insurance Impact: As cyber threats increase so does the significance of cyber insurance. Like any insurance, you have to show that you’re not a liability. A ski instructor will probably have high insurance rates and so will a security awareness training free organization.
• Cyber Care:  And the least popular, is it’s just good for security. This is not a trigger event, but rather secondary knowledge due to the daily headlines reporting the newest million dollar data breach, which we are referring to as a ‘warning trigger event’.

Usually, things have to escalate to one of these trigger events in order to get management buy-in, find budget, and help employees understand the importance of security awareness.

How NOT to respond to a cyber-induced trigger event?

Each trigger event gets measured by its pain points, in how it will be solved, and to what degree. Think of an arm injury. When this injury happens you try to wait for it to fix itself and avoid the doctors. Time passes and it only gets worse. It’s here where you’ll compare the pain point of your arm’s discomfort versus the consequences that might come from a doctor’s visit. If you settle for a homemade sling when you really need surgery, you’ll end up facing more issues in the long term.

This is the same for a cyber security trigger event. Settling on an instant security awareness training solution without processing the long-term consequences can do more harm than good.

However, since we know a trigger event isn’t always the best decision-maker, we’ve developed a list of three (3) common mistakes to avoid:

1. The stress of a trigger event can sometimes put pressure on the decision-maker to rush into finding an immediate solution. Choosing the first Google ad for ‘cyber awareness training’ you see can trap organizations into long and expensive contracts with security awareness training programs that aren’t even effective for the entire organization. This is like crashing your car, going to the car dealership, and buying the first car you see.
2. Organizations who are triggered by a compliance event tend to not understand the actual goal of compliance which is to make their employees more cyber aware. Focusing on compliance rather than security will most likely lead to another trigger event (aka Hacking Havoc) that will make you start from square one again. If the entire goal is to just ‘check a box’ regardless of outcome then it doesn’t actually help your organization become any safer.
3. We’ve mentioned managerial buy-in but a crucial element that frequently gets left out is employee buy-in. What that means is ensuring that your employees are aware of the trigger event and that they will enjoy and benefit from the program of your choosing (meaning it won’t be an irritating chore). Both of these will avoid making employees upset about any new procedures put in place. You have to care about the security awareness training program you choose to roll out to your employees as they’ll be the ones using it.

Quickly finding a half-hearted solution will simply be putting a bandaid on a bigger problem. In the long term, it will save you time, money and avoid confusion for your employees by investing in an effective security awareness program from the start that suits your organization’s needs — not just the trigger event.

What’s the solution?

The best solution is to be proactive rather than reactive and invest in security awareness training before a trigger event happens. Ideally, you don’t break your arm then invest in insurance or start locking your house only after it’s been broken into. Same with cyber security, you don’t want to wait for a huge breach only to realize what you could have done to protect yourself.

However, realistically we know that won’t always be an option. In the case of cyber security triggered events, the key is developing a good security awareness program that focuses on the outcome rather than just the output. This means thinking about how the security awareness training outcomes will prevent another trigger event and solve the bigger problem. We can help you brainstorm some of the good vs. bad outcomes:

Bad outcomes:

• Establish the quickest security awareness program regardless of employee input or research.
• Only looking to numbers for proof to merely ‘check the box’

Good outcomes:

• Build a security culture
• Encourage employee’s to make better security decisions when no one is looking

While we will always encourage your organization to proactive and figure out what will make a difference before you need it. If a trigger event does happen we say embrace it, understand your mistake and figure out what’s the best way to fix it.