Inside Huolala’s Human‑Focused InfoSec Training: Strategies & Lessons

Abstract

Information security emphasizes the “three defenses”: human, physical, and technical. Human defense is the foundation, relying on management and training to ensure employee confidentiality. This article focuses on the human‑defense aspect, sharing Huolala’s internal information‑security training practice and cultural building.

1. Problems and Challenges

Employees are the first line of defense, but raising their security awareness is difficult. Main issues include low participation, unreasonable training cycles, limited and non‑customized content, and insufficient internal training staff.

Low employee participation : busy work or perception that training is irrelevant reduces enthusiasm.

Unreasonable training frequency : too long intervals cause forgetting; too frequent creates burden.

Limited, non‑customized content : generic training cannot address specific business scenarios.

Insufficient training manpower : large staff and complex scenarios make internal delivery inefficient.

2. Current Training System

Huolala divides the audience into four layers: all employees, targeted departments/positions, technical staff, and data‑security key personnel, designing separate programs for each.

2.1 All‑Employee Training

Focuses on basic security awareness, covering onboarding/offboarding reminders and annual all‑employee training.

Onboarding & offboarding : unified training for new hires and reminder messages for departing staff to reduce data leakage risk.

Annual training : combines content, format, and channels (online videos, live talks, MG animation) via an internal learning platform to track progress and exams.

Coverage is pursued through senior endorsement, departmental HRBPs, and security BPs to achieve near‑100% participation.

2.2 Targeted Department/Position Training

Specialized sessions for specific departments, designed after needs analysis, often delivered by internal security trainers in collaboration with department leaders and recruited internal lecturers.

2.3 Technical Center Training

Regular sessions for R&D, testing, and operations covering common vulnerabilities, secure development processes, and business‑security practices.

2.4 Data‑Security Key Personnel

Focused on data‑security staff, providing industry articles, expert talks, and specialized training to keep them updated on threats, technologies, and regulations.

3. Daily Security Awareness Promotion

Beyond formal training, Huolala publishes security articles, runs fun activities, and uses multiple channels to maximize reach.

3.1 Content Planning

Security knowledge is divided into modules (office, data, network, endpoint, legal, personal data). Topics are selected based on employee surveys, incident reports, and compliance needs.

3.2 Content Creation

Materials are concise, readable, and avoid jargon. Formats include long‑form graphics, comics, short sentences, MG animations, and short videos.

3.3 Channels

Online : Feishu subscription accounts, bots, knowledge base, community, groups, splash ads, banners.

Offline : Posters, desk cards, roll‑ups placed in restrooms, elevators, tea rooms, meeting rooms.

3.4 Formats

Visual formats such as security comics, one‑picture‑explain series, quick tips, videos, and interactive H5 games. Activity formats include online/offline games, “park‑style” experience events during security month, and workplace spot‑checks with reward/penalty stickers.

Incentives like leaderboards, certificates, avatar badges, and random draws motivate participation.

Conclusion

Continuous construction and operation of a human‑focused information‑security training system is essential for raising the overall security posture. Huolala will keep optimizing its program, expanding security culture, and strengthening employee awareness to meet evolving technological and business challenges.