How to Build a Cybersecurity Awareness Program from the Ground Up

Andrew Obadiaru
CISO   Cobalt

Amid an ever-evolving cyber threat landscape, CISOs must anticipate the strategies that will be needed to keep their organizations safe. Of critical importance, they need to ensure their colleagues can spot – and report – security scams and other suspicious behaviors easily. Cybersecurity training ensures CISOs’ first line of defense – their people – are always on high alert. Cybersecurity awareness programs empower your organization to make the right judgment when you’re not there to guide them. Training and awareness programs expose your employees and colleagues to the sophisticated techniques deployed by cybercriminals. By educating them on these techniques they are able to exercise good judgment relative to cybersecurity. Human error remains the leading cause of cyber-attacks and security breaches; therefore, these training programs can prove to be invaluable.  In the following, we’ll outline the fundamental steps and considerations required for building a cybersecurity awareness program from the ground up within any organization.

Asses Where You Are

The first step is to conduct an initial assessment of your organization’s cybersecurity risk exposure and take stock of the current levels of cyber awareness of your user community. An assessment is necessary as it helps you evaluate the cybersecurity threats you are most susceptible to as an organization and the current levels of our awareness of your employees and colleagues. This will help you determine the scope and the depth of materials needed for your awareness program. Additionally, you’ll be able to set realistic goals and timelines for reaching your security maturity program milestones. 

Resource Allocation

Next, based on the outcome of your assessment, you’ll need to determine the appropriate cybersecurity topics and training materials needed to create your program. Once you’ve laid that out you will need to decide whether to leverage the services of a reputable cybersecurity consulting firm or whether you’ll use internal resources. It’s important to be honest of whether you have the monetary resources to hire and onboard an outside firm, or whether you want to do it yourself. If you want to handle it all internally you need to assess whether you have access to the right internal personnel or will you need to hire them? Think long and hard about what makes most financial sense and will be most effective time wise.

Determine scope of awareness program

Training should be tailored to help your employees recognize and avoid techniques commonly deployed by cybercriminals as well as educate them on prevalent cybersecurity issues and the different vectors: emails, spear phishing, malware, ransomware, social engineering, and so on. Each of these will have varying degrees of importance for your organization, so take note of how extensive training will need to be in building your program.


Once you’ve assessed your cybersecurity risks, determined the breadth and depth of these, and how you’ll staff them, you will need to decide on a cybersecurity awareness method that will provide reinforcement and emphasize the importance of cybersecurity on a continual basis. Building a program means that you need to ensure that there is continuity and reinforcement of the principles your organization has learned.


A well-managed cybersecurity awareness program over time leads to a security focused culture within your organization. Regular cybersecurity training instills better security habits and that’s why as a cybersecurity leader, it’s important to create this culture if one doesn’t already exist in your organization. By following these simple steps, you will be able to create a cybersecurity awareness program that empowers your organization to make the right judgment calls when you’re not there to guide them.

Andrew Obadiaru

Tags: , , ,