Building Engagement Through Practical Training

Implementing cybersecurity frameworks like CMMC appears at first glance to be mostly about putting technical controls in place to protect sensitive information like Controlled Unclassified Information (CUI). But a closer look reveals that information security has to be institutionalized. People have to be involved to actively protect information constantly. And that requires cultural transformation, leadership buy-in, and active employee engagement.

Cultural transformation is probably the biggest challenge for organizational leadership. Let’s explore a few ways to facilitate a security culture and turn the cost of compliance into a cost-effective way to make an organization more efficient and competitive.

One of the most effective ways to foster that shift is by turning mandatory CMMC cybersecurity training into practical, scenario-based exercises that focus on organizational strategy and tactical planning.

Making Training Meaningful with Real-World Scenarios

The CMMC Assessment Guide (CAP) outlines several key training requirements that organizations must implement:

·???????? Incident Response Testing – IR.L2-3.6.3

·???????? Insider Threat Awareness Training – AT.L2-3.2.3

·???????? Role-Based Risk Awareness – AT.L2-3.2.1

·???????? Role-Based Training – AT.L2-3.2.2

While these training requirements are crucial for compliance, many organizations struggle with making them engaging and relevant to their teams. Traditional, lecture-based cybersecurity training usually fails to capture employees’ attention or prepare them for real threats. People dread the training, put it off, and often have to be bugged to take it.

The Solution: Tabletop Exercises for Practical Engagement

One of the best ways to drive greater engagement is by tailoring these training modules into interactive strategic planning sessions to reflect your organization’s actual risks, as documented in your Risk Register and Plan of Actions and Milestones (POA&M).

Rather than presenting abstract risks, teams can simulate how they plan respond to real, organization-specific situations. This approach transforms cybersecurity training from a compliance requirement into a group planning session that allows employees to:

·???????? Walk through potential insider threats and how early detection and reporting can mitigate damage (AT.L2-3.2.3). During the sessions, management facilitates discussions to identify risks and appropriate responses to them. The Risk Register and POA&M are updated based on the discussion to reflect the resulting decisions.

·???????? Test their response to an actual risk scenario by walking through and refine their escalation procedures (IR.L2-3.6.3) and plan of action as if the risk is realized.

·???????? Understand role-based responsibilities and how different teams will contribute to risk mitigation (AT.L2-3.2.1, AT.L2-3.2.2).

·???????? Improve coordination between security teams and leadership when an incident occurs. Step through the risk response step by step and update the training in real-time as communication obstacles are encountered.

Beyond training itself, leaders play a critical role in ensuring employees at all levels see cybersecurity as a shared responsibility, not just an IT issue. Leadership should be an active part of the training so their roles and communication styles in the identified situation will be integrated into employees’ expectations. Here’s how:

Communicate the “Why” Behind Cybersecurity Training

Employees are more likely to engage when they understand that cybersecurity isn’t just about compliance, it’s about protecting sensitive data, securing their jobs. It’s about maintaining the organization’s credibility and ability to stay competitive.

Rather than just listing CMMC requirements, tie security training to real-world consequences:

·???????? "A phishing attack cost another company millions—how would we handle it?" How would a successful phishing attack happen in our organization?? For example, imagine a situation where an engineer receives an email that appears to come from a person in another company. They actively work with each other on a regular basis. The email contains what looks like a link to a PDF of a drawing; but it’s really a phishing link to harvest their login credentials or install ransomware.

·???????? "How would we detect and stop an insider threat?" Remember that insider threats can be people who make innocent decisions that could compromise information. Ask everyone to share ideas about how they could accidentally do something to put information at risk and how they or their co-workers could detect the mistake and address it.

·???????? "If our incident response plan failed during a cyberattack, what’s our backup strategy?" What would we do if a threat actor convinced us to send a large payment to a thief’s bank account rather than to a vendor? How would we recover and how would we fix our response plans so that it doesn’t happen again? If we became a victim of a ransomware attack, how would we handle it?? Pretend this is happening and have everyone interact with each other to solve the problem. Record exactly how the interaction plays out and update policies and procedures as better ways to respond are identified.

This risk-based storytelling approach fosters engagement by making cybersecurity personal and relevant. Management can start out by setting the stage for the stories. But the employees in the training actively engage in creatively, but realistically, completing the stories.

This transforms training from a passive requirement into active problem-solving. The result is that new risks will inevitably be identified, and simulated responses will be practiced when needed and integrated into organizational culture.

I will be speaking about “Building a Culture of CMMC Compliance” at CMMC Day on May 5, 2025. ?Look forward to seeing you there!