Powered by

# 8.1 Security Awareness Ownership and Training Plan

# Goals

Cybersecurity education needs an owner and a schedule.

If training is informal, it usually becomes inconsistent. Some employees may receive good guidance. Others may receive none. New employees may miss important instructions. High-risk teams may not get the extra training they need. Leadership may not see where behavior, process, or reporting gaps remain.

The goal of this section is to make cybersecurity education planned, assigned, repeated, and tracked.

# Step 1: Assign a Security Awareness Owner

Assign one person to coordinate cybersecurity education.

This may be the IT lead, HR lead, operations manager, compliance owner, MSP contact, or another assigned role.

The security awareness owner is responsible for making sure training is delivered, updated, recorded, and reviewed.

This person does not need to teach every session personally. They are responsible for making sure the program happens.

# Step 2: Define Who Needs Training

Identify all groups that need cybersecurity education.

Include:

  • All employees
  • New employees
  • Executives and senior managers
  • Finance and accounting
  • HR
  • IT and system administrators
  • Sales and customer service
  • Operations and procurement
  • Remote workers
  • Contractors and temporary staff
  • Vendors or third parties with access to company systems

Not every group needs the same training. Basic training should apply to everyone. Higher-risk roles should receive additional role-specific guidance.

# Step 3: Define the Core Training Topics

Every employee should understand the basic behaviors that reduce cybersecurity risk.

Core topics should include:

  • Phishing and suspicious links
  • Social engineering
  • Password safety
  • MFA use and unexpected MFA prompts
  • Safe email and attachment handling
  • Safe data sharing
  • Use of approved tools
  • Device security
  • Remote work security
  • Reporting suspicious activity
  • Reporting mistakes quickly
  • Basic incident response expectations

The training should focus on what employees should do in real situations, not only policy language.

# Step 4: Define Role-Based Training

Some teams need extra training because they handle higher-risk decisions, sensitive data, privileged access, or customer-facing communication.

Examples:

  • Finance should receive training on invoice fraud, bank-detail changes, payment verification, and executive impersonation.

  • HR should receive training on employee data, payroll information, onboarding, offboarding, and sensitive document sharing.

  • Executives should receive training on impersonation, approval pressure, cyber risk decisions, and incident communication.

  • IT and Administrators should receive training on privileged access, MFA resets, vendor access, patching, logging, backups, and incident evidence.

  • Sales and Customer Service should receive training on suspicious customer messages, data handling, account changes, and impersonation attempts.

  • Developers and Technical Staff should receive training on secrets, repositories, cloud access, secure coding, and dependency risk.

Training should match the actual risk of the role.

# Step 5: Build a Simple Training Schedule

Create a practical training schedule for the year.

A basic schedule may include:

  • Cybersecurity onboarding for every new employee.
  • Annual core cybersecurity training for all staff.
  • Short quarterly reminders on current risks.
  • Role-based training for high-risk teams.
  • Executive briefing at least once per year.
  • Phishing or social engineering practice where appropriate.
  • Incident response or reporting exercise at least once per year.

Training does not always need to be long. Short, repeated, practical reminders are often more useful than one long annual session.

# Step 6: Include Training in Onboarding and Offboarding

New employees should receive security guidance before they start using company systems heavily.

  • Onboarding should cover passwords, MFA, approved tools, data handling, device rules, reporting suspicious activity, and where to ask for help.

  • Offboarding should remind managers and IT to remove access, recover devices, transfer ownership of files, disable accounts, and confirm vendor or shared access is not left behind.

Security education should be part of the employee lifecycle, not a separate one-time event.

# Step 7: Track Completion and Evidence

Keep records showing who completed training and when.

Record:

  • Employee name
  • Department
  • Training assigned
  • Training completed
  • Role-based training required
  • Completion date
  • Training evidence
  • Missed training
  • Follow-up required

This evidence is useful for leadership review, customer questionnaires, audits, insurance requirements, compliance checks, and internal improvement.

# Step 8: Update Training After Incidents and Changes

Training should be updated when the company learns something new.

Update training after:

  • Cybersecurity incidents
  • Near misses
  • Phishing campaigns
  • Payment fraud attempts
  • New systems or SaaS tools
  • New remote work procedures
  • New data handling requirements
  • New policies
  • Changes in cyber insurance or customer requirements
  • Recurring employee mistakes

Training should reflect real risks the company is seeing.

# Step 9: Review the Training Plan Regularly

Review the training plan at least once per year.

Check whether training was completed, whether high-risk teams received role-based guidance, whether employees know how to report suspicious activity, whether incident lessons were added, and whether new business processes created new risks.

The review should answer:

  • Did the planned training happen?
  • Who missed training?
  • Which teams need more focused guidance?
  • What topics need to be updated?
  • What behavior or reporting gaps remain?
  • What should change next year?

# Suggested Training Plan Template

Use a simple plan with these fields:

  • Training topic
  • Audience
  • Owner
  • Delivery method
  • Frequency
  • Required or optional
  • Completion tracking method
  • Evidence location
  • Last delivered date
  • Next due date
  • Notes

# Expected Outputs from This Section

At the end of this section, the company should have:

  • A named security awareness owner.
  • A defined audience list.
  • Core employee training topics.
  • Role-based training topics.
  • A basic annual training schedule.
  • Cybersecurity onboarding requirements.
  • Training completion tracking.
  • Evidence of completed training.
  • A process for updating training after incidents or major changes.
  • A review schedule for the training plan.

# Objective

Security awareness needs ownership, repetition, and records.

A company should leave this section able to say:

“We know who owns training, who needs it, what they must learn, when it happens, and how completion is tracked.”

That is security awareness ownership and training planning.

© Copyright 2026. All rights reserved.