Integrating onboarding and security awareness training for employees

Onboarding new employees into an organization is an exciting time, but it also presents security challenges. Ensuring that new hires understand cybersecurity risks from day one is essential for protecting company assets, sensitive data, and overall business operations. 

Many organizations struggle with how to effectively integrate security awareness training into onboarding, making sure it’s engaging, relevant, and role-specific. In our latest panel discussion, industry experts tackled this challenge, sharing best practices, common pitfalls, and innovative solutions for making security awareness a seamless part of onboarding. Let’s meet the panel: 

Meet Our Panelists

• Erin Gallagher (EG) – Erin is the Cyber Security Lead at Fastly and has been working in the security awareness field for 5 years. Erin has helped build programs for companies ranging from 1,200 employees to 500,000. 
• Sid Choudhuri (SC) – Sid is a returning panellist and the Head of IT at Greenpeace Canada. He has worked in the nonprofit and corporate sectors and ran his own IT services business for over 15 years.
• Fletus Poston (FP) – A security champion, Fletus is a Senior Manager of Security Operations at CrashPlan®. CrashPlan® provides peace of mind through secure, scalable, straightforward endpoint data backup for any organization.
• Ryan Healey-Ogden (RH) – Ryan is Click Armor’s Director of Business Development, he holds a passion for security awareness, education, and technology and how it relates to people.

And myself, Scott Wright (SW), CEO of Click Armor, the sponsor for this session. Let’s get into onboarding and security awareness training: 

How can security awareness training be effectively integrated into the onboarding process?

FP: It’s important to just baseline with the employee. You need to understand what they know, what they don’t know. So when you give them their onboarding training, you’re likely getting stuff from your HR team, but there’s also security awareness training that gets pushed out just to get a baseline for review. A lot of organizations will give an assessment, not only to look at the score but to see how long they took and what they understand. So, a quiz and introduction video on “What is Security in Your Organization”

EG: One of the most crucial parts to being effective is talking to people. So instead of putting them in front of a monitor,  I have the opportunity to, for 45 minutes every month, talk to every cohort that starts at Fastly about security awareness and most importantly, I get to introduce myself. And I can see that there’s more engagement from new hires after they know my name and face. 

SC: You can also integrate microlearning into your onboarding process. The one thing I tell people when inducting them into the IT team  is if you can avoid it, never click on anything in an email. Always engage with whatever it is  outside via  Okta  or by typing it into the browser. So if your security program isn’t fully flushed out yet, you can use these little learning moments, too. 

What are the key components of a successful security awareness training program for new hires?

EG: It depends. And I only say it because the key components  to anything successful are so relevant to the organization that you’re in.  I’ll see specifically with Fastly, one of the challenges we have is that we just have such a vast  knowledge gap between our engineers and HR and finance teams. So as far as tailoring that, I mean, you have to build those relationships with those different organizations in those different functions within your organization  to help with tailoring some training. 

FP: I agree with Erin. It’s role based  stuff. So when they’re brought on, just like you want to give them  role based access, you want to give them role based training, timely.  It doesn’t have to be on day one, but it needs to be relatively quickly.

SC: We don’t give access to any files to new hires. Nothing. It has to be explicitly added. And I think this idea of least privilege is taken to the extreme that every single, every single shared drive, the person has to be added to. It’s a golden rule that everyone should be reminded of. 

How can organizations measure the effectiveness of their security awareness training during onboarding?

EG: The one thing is that it’s not necessarily a quantitative answer, but it is a qualitative one. For example, we saw a really big uptick after onboarding, especially with the new onboarding training, of people reaching out to me with questions and chatting with me. So, for me an engagement question is, how many questions are being asked? How many people are reaching out after?

SC: We conduct surveys twice a year to gauge employee perceptions of our security culture and awareness training. Additionally, every security module has an optional pre-questionnaire to assess knowledge before training.

FP: Look at time spent. It’s a good determination of how long. If a person spends way too long on it, did they forget about it? You might want to engage with them. They open it and forgot about it. If they’re too quick, they might have just clicked through. So, you’ll need to engage with them too. 

How can leadership support a strong security culture for new employees?

SC: Security awareness has to come from the top down. If executives and managers treat security training as a checkbox exercise, employees will too. Leadership should actively participate in training and model good security behavior.

SW: Many managers see security training as a cost center, but we need to demonstrate ROI. Showing the financial impact of preventing a phishing attack or data breach makes a strong case for prioritizing awareness programs, especially in onboarding.

FP: Make training organic. Employees should feel comfortable bringing up security topics in meetings and engaging with security teams. Creating champions within departments helps spread awareness naturally

Integrating security awareness into onboarding isn’t just about compliance—it’s about building a culture of security from day one. By using tailored, engaging training methods and continuously reinforcing key security behaviors, organizations can ensure that new hires are well-equipped to protect company assets. Whether through live training, gamified learning, or role-specific content, the key takeaway is that security awareness must be proactive and persistent.