More than 70% of University of Colorado employees completed the Information Security Awareness (ISA) course in the last two years, demonstrating a collective commitment to cybersecurity across CU.

When viewed closely, the numbers are even more impressive:

• 85% when narrowed to permanent employees.
• 90% when looking at employees in high-risk organizational units, such as finance, human resources (HR) or IT units. 

According to CU Deputy Chief Information Security Officer Brad Judy, the campaign’s success can be attributed to the strong collaboration between campus and UIS communications, campus Information Security and HR teams, and the Employee Services (ES) Learning and Development team.  

“The success of this effort really demonstrates how multifaceted communications and multicampus partnerships can connect with our CU employee community,” Judy said. 

Judy and Janet Bravo, OIS security awareness program manager, led the initiative and used a three-phase approach to achieve a high completion rate: a system-wide awareness campaign, automated follow-up and, finally, a data empowerment phase. 

Security Awareness Campaign 

Bravo coordinates the annual Cybersecurity Awareness Month, which kicked off the ISA course completion campaign in October 2023. The campaign FAQ page received more than 10,000 views and over 7,000 employees completed the training in Oct. and Nov. 2023. 

Many employees were retaking the course in response to the new training requirement: all faculty, staff and student employees must complete the ISA course every two years, in addition to the original requirement to complete it within the first 60 days of employment. 

Automated reminders 

The initial campaign phase focused on ensuring employees were aware of the new requirement. The second phase involved a partnership between OIS and the ES Learning and Development team to configure Skillsoft to send reminders. Individuals who had not completed the training in the previous two years received automated email reminders.

More than 17,000 employees completed the training during the automated-reminders phase between December 2023 and March 2024.

Empowering campuses with data 

The third phase of the campaign required collaboration with the Employee Services data team and the UIS Data and Business Intelligence team. Employee Services created a CU Data report on course completion and then Judy created a spreadsheet template to automate the desired data analysis for specific departments or units. 

Now, all campus information security teams can generate reports on demand, identify broad trends across their campus and set goals based on data. 

Next steps 

Skillsoft will upgrade to Precipio this fall, requiring new configurations. One goal is to limit automated reminders to applicable employees and avoid confusing those to whom the requirement does not apply. The ISA course content and quiz are updated annually. And, with the newly available data analytics, campuses can focus their efforts on improving compliance in high-risk areas. 

Overall, the new requirement and campaign led to a much greater completion rate, resulting in a CU community more knowledgeable and vigilant about cybersecurity.  

Judy said, “I really appreciate the investment CU employees made in cybersecurity through this training process. Every member of the CU community has a role in cybersecurity, and this training course is a big part of how CU provides cybersecurity information to the community.”