#InfosecNA: The Benefits of Training Employees to Hack

For most corporate denizens, security training is an unpleasant but necessary evil, but does it have to be? Not according to Kris Martel, CISO of Imagine IT, who uses a highly interactive approach to create an engaging, entertaining learning environment that makes security meaningful and interesting to the average employee.

Speaking at Infosecurity ISACA North America Expo and Conference in New York, Martel shared some of the things he uses in his trainings to help improve security awareness and compliance, and have employees eagerly awaiting their next session.

“Cyber awareness training must change audience perception by making it [security] relevant to the organization or the individuals you’re teaching,” said Martel. “The way to do that is to make it engaging, interactive and fun – and unpredictable,” he added. One of the ways he engages employees is to teach them real-world hacking skills, including how to craft effective phishing attacks, helping them learn who has their Facebook login and taking them on guided tours of the Dark Web. Whenever possible, Martel finds ways to reward participation with small but popular tokens such as preferred parking spots, movie tickets and, in some cases, internal cryptocurrency.

Martel has developed a fun, and effective way to deal with experienced cyber-workers who don’t take the training seriously because they believe they are too smart to be hacked by offering them a friendly challenge. After a co-worker accepts the challenge, he begins a surveillance phase which, depending on how good his opponent is, can last anywhere from a few days to a few months. In one case, with an especially cyber-savvy individual, his usual hunt within social ..

Support the originator by clicking the read the rest link below.