You are Doing Cyberscecurity Awareness and Training Wrong
Let me tell you how most of my pitch calls go when someone needs instructional design work for their company’s cybersecurity awareness and training.
The customer typically says something along the lines of, “We just need a quick and dirty training, to check off the compliance box”.
I ask, “Can you send me your policies and procedures so I can weave them into the training?”
“My boss doesn’t want this eating up a bunch of time and resources. We just need the compliance. This isn’t about learning.”
In the case of Response A, I always say, “Doesn’t it make sense to train your employees on your security stack based on their roles? Don’t you know policy and procedures mean nothing without people? We can write your awareness and training so it reflects your people, processes, and technology, and most importantly the threats the data you hold faces.”
“We really don’t have the policies and procedures in place.”
For Response B, I always say, “Then your awareness and training needs to start with how to write and deploy policies and procedures.”
The Call Back
Almost always I get a call back an hour or day later with, “I talked to the boss. They want to keep it dead simple and focus on compliance. How much for a quick one hour training?”
I wish them luck and shut down the call.