Find your portal

The role of L&D in developing a culture of security at work

Almost every business today is reliant upon some form of connected information technology (IT) — whether it’s an integral aspect of the company itself, or as a minor tool to facilitate online communication. This can be a great tool in the potential success of our businesses, but by closely embracing digital devices we are also embracing a vulnerability to cybercrime.

By some estimates, the cost of cybercrime each year in the U.S. is upwards of $45 billion. It seems strange, then, that security is often something of an afterthought for many companies. We tend to treat it as a costly additional component rather than an essential aspect which must be integrated into every facet of our business.

Trainers have a significant role to play in influencing companies and staff, developing a culture that embraces cybersecurity, rather than just paying lip service to it.

But where do we start?

The role of L&D in developing a culture of security at work

How do we prompt the transition from cybersecurity as an addition to ensuring these protective strategies are a primary feature of our workspaces?

We’ll introduce you to a few key areas that can help you develop a secure IT culture, and keep it that way.

Beyond onboarding

We know that security protocols have a place in the initial training of employees. However, while establishing the expectations of new hires may well provide a good basic grounding, it doesn’t necessarily reinforce long term secure behavior.

So how can we make certain that cybersecurity is ingrained into working practices?

Many companies today use a combination of cloud computing and e-learning platforms in order to onboard employees. This can also be used to implement and maintain security strategies with each staff member, not only in the first days but in the months and years beyond.

Learning and development (L&D) personnel should take a modular approach that utilizes these platforms to:

  • Introduce threats. How do they appear in the working environment? Show employees what phishing scams actually look like, and use e-learning platforms to take them through a step-by-step guide to the actions they should (and shouldn’t) take.
  • Demonstrate good password security. Develop a guide to the theory and practice of choosing strong passwords, and even encourage the use of online password checkers.
  • Reinforce secure behavior. Use multimedia techniques to show the differences between secure and risky behaviors both in the workplace in general, and specific to their positions. Videos, exercises, and quizzes can all be good tools in teaching how a security considerate approach can prevent breaches.
  • Revisit modules. Part of the key to a secure culture is periodic refreshers and updates — you update your software, you should update your training. Demonstration of secure protocols can be part of employees’ ongoing development, and also a requirement for any career progression.

This retention-friendly approach can also be used when building a company’s IT disaster recovery plan. Our current technological environment, which is subject to constantly changing threats, has made it vital for companies to have measures in place to help mitigate the damage and disruption caused by the unexpected.

Utilizing frequent e-learning modules can help not just remind employees of preparatory actions, such as backing up data, and storage requirements, it can also be used to frequently test the robustness of your plan and employees’ understanding of how to act in the case of a disaster.

Staff experts

While most businesses today have dedicated IT staff who take care of updates and networking, this does not necessarily mean that they have engaged sufficiently with cybercrime prevention. In fact, 38% of fortune 500 companies have neglected bringing a Chief Information Security Officer (CISO) onboard to implement protections for their businesses, effectively making them sitting ducks for breaches.

For any security strategy to be at its most effective, a team of experts needs to be in place to both guide and implement it.

This can be a difficult sell to those business leaders who aren’t familiar with the full scope of the value experts, such as a Security Operations Center (SOC) Analyst, can bring to the table. Their role will include the ongoing monitoring of changing threats and potential points of vulnerability in the business.

They do more than reacting to the introduction of viruses and malware; alongside cybersecurity engineers and security administrators, they’ll build protocols tailored to the requirement of the business that will prevent breaches from occurring in the first place.

These teams are valuable tools for L&D professionals, helping to direct the subject matter of cybersecurity training. They can provide assets to help demonstrate the current risks, and an insider’s view on the most appropriate behavior and strategies to adopt.

The presence of expert cybersecurity colleagues also helps to maintain an informed dialogue with all members of staff, supporting the company-wide secure culture.

Read more: Harnessing the power of SMEs for successful workplace training

Deeper understanding

Many companies and their employees treat their cybersecurity protocols simply as rules that staff must follow, with consequences for any lapses. This is not always the most effective approach. While this may dictate the company’s requirements, it certainly doesn’t foster an understanding in employees of how their behavior affects security.

Rather than simply making cybersecurity another item in a long line of rules staff must follow, it’s important to provide a deeper knowledge of how it helps the entire company — staff included — to thrive safely.

Let’s take the example of personal device usage; many companies have been struggling with the issue of Bring Your Own Device (BYOD) policies. It’s cost-effective, but it also presents the risk of employees bringing compromised equipment into an otherwise secure environment. Employees need to understand the risks of bringing their devices to work and the protocols associated with doing so.

Our mobile devices — whether phones, tablets, or smartwatches — are portable points of vulnerability. Staff need to understand that while there are networking safeguards in the office, these are not always in place at home or on public networks. This means their online behavior needs to be considered even more carefully outside of the office.

Help them to see how they could be compromised; physical access of unattended devices, phishing scams, exploited wifi hotspots. Provide them with the tools they need to keep themselves and their colleagues secure.

Read more: Top benefits of a cloud-based LMS


In order to establish effective cybersecurity protocols in the workplace, we need to pay greater attention to how we approach the subject. We can’t expect to keep our businesses and employees safe while treating security as an optional extra. By integrating frequent training, establishing a team of dedicated experts, and helping employees understand the impact of threats, we can instill a culture of beneficial, mindful cyber-safety.