- Security awareness training is not required. To be honest I was surprised by this. Even large organizations that have a low risk tolerance often did not have required training. Or if the training is required, only the bare minimum.
- Corporate limits how often you can communicate with employees. For example, corporate may not allow your security awareness team to email employees, as they are attempting to reduce the amount of internal email people have to read.
- Limited budget.
One of the keys was to bypass these challenges and engage people is focus on content that people want to take. Think about it, I'll bet over 70% of your awareness program applies to peoples' personal lives as it does work. People use email at both work and home, same for mobile devices, browsing, social networking, and secure password use. Usually the only parts of an awareness program that do not apply to personal lives are specific policies, such as acceptable use or data protection and handling.
Communicate your awareness program so you focus on on how people benefit personally, how these lessons will help secure them at home. Go so far as to offer specific training on how to protect their kids online, how to protect their home computers, or how to setup a secure home Wi-Fi network. Not only does this type of content engage and draw people in, but you now have them practicing secure behaviors both at work and at home. Security becomes part of their DNA. By creating content that people will want to take, word will spread and people will be coming to you to take the training. You know your program is ultimately a success when people start asking how their family can take the training also.