Amsterdam by night | Security awareness program
People

Getting it right: security awareness program on a budget

Introducing a Security Awareness program is becoming increasingly important for organizations as the cybersecurity landscape changes rapidly. This undertaking becomes even more challenging if the security team is new to the organization and operates on a limited budget.

In this blog post, I share my experience implementing a security awareness program enriched by extensive research and insights from consulting with industry experts. This guide is designed to be highly practical to help you build and execute an effective program without breaking the bank.

Assumptions

This post will be most relevant to organizations in a situation similar to the following conditions:

  • The Security Awareness program does not exist yet.
  • The Security team is new to your organization.
  • The available budget is such that most or all of the program has to be built and delivered in-house.

Starting behind the eight-ball

Building and introducing a Security Awareness program is a challenge. Doing that in a company where the Security team is new—culturally and logistically—is a challenge squared. Having a constrained budget and timeline makes that challenge, well, cubed

People in your company may not have a clear understanding of why a security team exists, what to expect from them, and how it will impact their established processes and timelines. A well-thought-out Security Awareness program will help address many uncertainties, calm fears, and soothe worries.

Additionally, a good-quality Security Awareness program can bring a host of benefits:

  • Help meet customers’ contractual requirements. Customers may expect robust security practices at your company and require proof that you introduced them. Security awareness training is an excellent way to bring the organization together quickly and start progressing on the most important security activities right away.
  • Contribute to the success of compliance audit readiness if your company wants to achieve industry-standard certifications like SOC2, ISO, HIPAA, PCI DSS, GDPR, and more.
    For example, consider the “Requirements and Testing Procedures” section of the current PCI DSS 4.0.1 standard. It mentions the following requirements:

12.6.1 A formal security awareness program is
implemented to make all personnel aware of the
entity’s information security policy and procedures,
and their role in protecting the cardholder data

  • Improve the company’s security culture. Investing in a security-conscious culture makes operations cheaper and people less stressed. Security-conscious employees will prevent security incidents and enable a proactive approach to potential threats because they will know how to spot when something’s not right.
    Additionally, such awareness reduces the number of surprise incidents and on-call work.
  • A shared understanding of the Security team’s mission by other teams. Even if the Security team is a new concept to the company, this team’s role is critical in building customer trust and maintaining the integrity of the company’s operations. When other teams know what Security is there for, they are more willing to collaborate instead of seeing the Security team as a department of “no”.

External awareness training suppliers

The topic of Security awareness is not new, and numerous companies are on the market offering pre-defined, sometimes highly tailored, awareness programs. The sessions can be administered live in the office, remotely via a video call, or self-paced with tracking. 

Below are just a few examples of training providers who are highly regarded in the Information security space:

Often, such offerings include additional benefits on top of “classic” training:

  • Intelligent grouping using individual employee behavior and user attributes to tailor training assignments, remedial learning, and reporting.
  • Advanced reporting and high-level overviews of previous campaigns well-suited for time-constrained management.
  • Custom phishing simulations allowing to customize scenarios based on personal information to create targeted spear phishing campaigns.

Overall, there are many pros with a potentially significant con: the budget will likely be higher. 

Getting started

Here’s how to introduce and conduct Security awareness training in an organization. On a budget ☝️

1. Get Leadership buy-in

This may very well be step 0 − a foundation on which everything else is built. From the start, it can go one of the two ways:

  • There is no leadership buy-in. The program will lack the necessary support and resources across the organization, making it difficult to prioritize security and get people to attend your training. The follow-up on anything the teams must do to support the security effort will likely be low.
  • With leadership buy-in, the program’s importance is elevated, and it gains visibility and encouragement for people to participate and have an open mind.

Practical steps

  • Prepare a compelling case highlighting the real risks of not having a Security awareness program. The case should be tailored to the organization and be relevant to whatever the business objectives are:
    • increased spending on incident handling (and on-call support), 
    • potential to have compliance audits fail,
    • organizational susceptibility to phishing attacks, resulting in significant financial and reputation losses.
  • Show potential cost savings from avoiding security incidents and compliance penalties, especially within the teams expected to work on-call or handle security incidents.
  • Align the program’s goals with the company’s overall objectives and strategic priorities, such as gaining customers’ confidence and delivering stable, reliable software.

Help them see the issue, but keep it real. The end goal behind introducing the program is to make the company better prepared and more resilient to cyberspace threats, not merely to “scare the management”.

2. Identify the target audience

To determine the target audience, look at the project and ask the following questions:

  1. What are the teams working on it? 
  2. Can they be logically divided into teams or departments? For example, engineering or development, platform or DevOps, and technical support?
  3. What is the level of their security awareness today? 

Determine whether the program will be rolled out within one department, a bigger organization, or several business units.

Key considerations

  • Departments and teams. List target teams: engineering, platform, technical support, and other relevant groups.
  • Rollout scope. Determine whether the program will be rolled out within one department, organization, business unit, or several units. It is generally better to narrow the focus to make the process more manageable and predictable.

Practical steps

  • Create a list of all target groups.
  • Assess each group’s specific security needs and knowledge levels. Talk to the leaders of the groups to better understand their views on security and the current team’s knowledge of security topics.

3. Define the high-level topics

Define what you want to achieve by the end of the program. It could be increased awareness and improved ability to deal with security incidents, organizational behavioral change, and obtaining team commitments to enhance security practices.

The topics can include:

  • Basic cybersecurity hygiene (e.g., password management, phishing awareness)
  • Company-specific policies and procedures
  • Compliance and customer-specific requirements
  • Data protection and privacy concerns
  • Incident response procedures and automation

4. Break down the topics into individual sessions

To effectively structure the delivery of topics, break them down into manageable sessions. Each session should ideally be kept short, around 30 minutes, to maintain participants’ engagement
People tend to tune out after about 10 minutes into a meeting. To retain participants’ focus, consider changing subjects frequently, for example, every 5-7 minutes.

Allocating 5 to 10 minutes for questions within each session is essential to ensuring everyone understands the material and can get more details from you.

Practical steps

  • Divide topics into manageable chunks that can be covered in individual sessions of about 30 minutes.
  • Budget some question time of up to 10 minutes per session.
  • Ensure each session builds upon the previous one for continuity.
  • Use images, animation, or short videos to retain focus.

Tips for preparing the sessions

  • Keep sessions short (ideally 30 minutes) to maintain engagement.
  • Allocate 5-10 minutes for questions to ensure understanding.
  • People tune out after about 10 minutes into a meeting. Changing subjects more often will help keep the attention.

5. Preparation round with team leads

Meeting team leads and managers before starting the sessions helps familiarize them with the program, ensuring they are well-acquainted with its content and objectives. This initial step provides an opportunity to address any questions or concerns they may have upfront, fostering a clear understanding and smooth implementation.

Additionally, this phase seeks to gain the support of the leaders in reinforcing the training messages within their teams, ensuring a cohesive and unified approach to the program’s goals.

Practical steps

  • Schedule a preliminary meeting with team leads and managers.
  • Provide them with an overview of the program and its objectives. Consider reviewing the training materials together.
  • Ask them for feedback and make any necessary adjustments, keeping in mind the session’s objective to avoid deviating from it.

6. Track attendance

It is easy to forget to record who attended because, most of the time, it’s not actually needed.
However, this practice proves highly beneficial during compliance audits, as it provides a track record that the necessary training was conducted and attended by the audience.
Additionally, keeping track of attendance helps measure the reach and effectiveness of the training.

Practical tips

  • Use simple tools like spreadsheets or low-cost software solutions to record attendance.
  • Provide incentives for attendance, such as recognition or certificates of completion.

7. Schedule sessions

At this stage, you should know who will attend, the teams they belong to, the materials to be presented, and the time required between sessions to prevent overload. 

It is advisable to have a detailed schedule of the whole training program to balance session frequency and duration, ensuring attendees can absorb and retain information.

Best practices

  • Avoid overcrowded sessions; smaller groups enhance interaction and engagement.
  • Send calendar invites at least a week or two before the sessions begin.

Practical steps

  • Determine the number of sessions needed based on the target audience and create a full schedule to guide you as you work out invitations.
  • Split larger groups into smaller, manageable sessions.
  • Consider offering sessions at different times to accommodate various schedules and time zones, if applicable. This flexibility increases participation and ensures no one misses out due to time constraints.

8. Ask for feedback

Feedback helps identify program areas that need improvement, whether it’s the content, delivery method, or overall structure. By understanding what works well and what doesn’t, you can make necessary adjustments to improve future sessions.

Participants can highlight which topics were most beneficial and which were less relevant. It ensures that future sessions focus on the most impactful areas, maximizing the value of the training.

Purpose

  • Gather insights to improve future sessions.
  • Address any issues or gaps identified by participants.
  • Reallocate air time to topics that matter most.

Practical steps

  • Conduct feedback sessions with the entire audience or only team leads and managers to save time.
  • Use surveys or informal meetings to collect feedback.
  • Record everything to use that information in a retrospective or a “lessons learned” session. This step is particularly important when several people are working on the awareness program.

Timeline

The timeline for implementing a security awareness training program will depend on several factors, including the size of your audience, the number of sessions required, and the availability and time zones your company operates within.

For instance, let’s consider a scenario involving one organization with a purely technical audience. Suppose there are 6 to 8 teams, and you need to conduct 3 sessions to cover 7 high-level topics

If each session is administered twice, it will take approximately 6 weeks to complete all the steps outlined in the blog post, effectively taking the company from having no training to having a fully implemented security awareness program.

Summing it all up

Introducing a Security awareness program on a tight budget is challenging, especially for a new security team. The key is to “start small” and focus on practical steps to build a strong foundation, followed by a tailored, high-quality awareness program. 

Here’s a summary of practical strategies:

  1. Leadership buy-in: Secure support from leadership by presenting the risks of not investing in a security program, highlighting potential cost savings, and aligning goals with company objectives.
  2. Identify target audience: Determine which departments or teams need training and assess their current security awareness levels.
  3. Define high-level topics: Focus on essential areas such as basic cybersecurity hygiene, company policies, compliance requirements, and incident response.
  4. Break down topics into sessions: Keep sessions short (about 30 minutes) to maintain engagement and include time for questions.
  5. Pre-run with team leads: Meet with team leads to familiarize them with the program and gain their support.
  6. Track attendance: Use simple tools to record attendance, which is helpful for compliance audits, if applicable to your situation.
  7. Schedule the sessions: Plan sessions to provide enough time for trainers and the audience to comfortably deliver and digest training material. Consider different times to accommodate all schedules and keep group sizes manageable.
  8. Gather feedback: Collect feedback to improve future sessions, focusing on what participants find most beneficial. Keep a record of the feedback received.

By following these steps, you can effectively implement a Security awareness program that enhances security culture, meets compliance requirements, and is feasible within budget constraints.

References

In other news 🌎

In a blog post titled “Is my business secure? First look at the SAMM framework”, I discuss the importance of cybersecurity for small and medium-sized businesses and review the challenges they face due to limited resources and a complex threat landscape. The post also introduces the OWASP SAMM framework as a solution for assessing and improving security practices. 

Key topics include a short review of the framework’s components—governance, design, implementation, verification, and operations—and the benefits of adopting SAMM, such as structured security assessment and improved collaboration.

For a detailed read, check out the full post below: 

Is my business secure? First look at the SAMM framework

👋 Get notified about future posts

No spam. You'll receive a notification whenever I publish a new blog post.

Tags: ,

You Might Also Like

Copyright © 2025 {IT} All images used in this blog are protected by copyright and may not be reproduced, distributed, or used without prior written permission.