October is National Cybersecurity Awareness Month, making now the perfect time to highlight two essential components of every organization’s security and privacy posture - awareness and training.

As a Certified eLearning Designer and one of the Team Leads for Project Team 7 of the National Institute of Standards and Technology’s (NIST) Privacy Workforce Public Working Group (PWWG), I have spent countless hours thinking about these activities and supporting the development of these programs to help organizations strengthen their privacy and security programs.

While the terms “awareness” and “training” are often used interchangeably, they serve different - but complementary - purposes. Awareness is about transferring knowledge, ensuring employees are informed of risks and best practices. Training, on the other hand, is about transforming behaviors, equipping employees with the right skills and helping them perform the required tasks to be successful. Both are essential, but their goals should be considered as interrelated but different.

Understanding the Difference

To illustrate the difference between awareness and training, let’s consider a simple example of fire safety! A mascot like Smokey Bear with the slogan “Only you can prevent wildfires” is an effective - and memorable - awareness campaign. It aims to educate the public that almost nine out of 10 wildfires nationwide are caused by humans and are preventable. Then there’s training: fire drills and “Stop, Drop, and Roll” teach specific behaviors and actions to perform during an emergency.

The same principles apply to cybersecurity. Awareness informs your workforce about potential threats, like phishing emails or weak passwords, while training ensures they know what to do when faced with a threat. Awareness can precede training to share basic information or prepare employees for learning, or these activities can be coordinated with training to reinforce key lessons. In either case, awareness efforts serve as valuable reminders, ensuring that security and privacy best practices stay top of mind and that training becomes more effective over time.

National Cybersecurity Awareness Month: Focus on What’s Essential

This National Cybersecurity Awareness Month don’t feel the pressure to overhaul your entire cybersecurity training program. Instead, focus on closing any existing knowledge gaps or identify specific information that can support your workforce’s effectiveness. These include:

• Start with the facts - Provide clear, actionable information. For example, ensure your team knows where and how to report suspicious emails using tools, like the “Report Phishing” button in many email applications.
• Explain the “why” - Help your employees understand the reasons behind your policies, such as the importance of MFA in securing accounts. This reduces the likelihood they’ll attempt to bypass security measures.
• Reinforce best practices - Promote good cyber hygiene, like recognizing suspicious emails, updating software, and avoiding clicking on unverified links or attachments.

New from NIST: Updates to NIST SP 800-50

A timely update from the National Institute of Standards and Technology (NIST) underscores the importance of blending awareness and training in cybersecurity programs. NIST SP 800-50 Revision 1 “Building a Cybersecurity and Privacy Learning Program,” emphasizes creating a culture of security and privacy through continuous awareness activities that support direct training. Following this updated framework can help organizations cultivate an informed workforce, ensuring that their practices remain effective and up to date.

NIST’s updated guidance, which revises 20-year-old federal cybersecurity and privacy learning program guidance, advocates for ongoing awareness efforts paired with practical training. The document also includes examples of awareness activities, including messages on log-on screens, employee newsletters, posters, and timely reminders via emails. These activities, along with events like Cybersecurity Awareness Month, create a more resilient workforce by embedding best practices into daily operations.

To maintain a successful cybersecurity program, organizations need both training and awareness. While training equips your workforce with the skills they need to perform in critical situations, awareness campaigns help create an informed workforce and support your overall organizational culture.

Together, these efforts will ensure your team is empowered to face cybersecurity threats.

‍