Security Pros Need Better Security Awareness Training Options

Wednesday, April 16, 2014

Tripwire Inc

Bd07d58f0d31d48d3764821d109bf165

By: David Meltzer 

One of the basic security measures that every company should be taking is giving security awareness training to its employees. This is part of Critical Security Control 9. CSC 9-3 says:

“Implement an online security awareness program that (1) focuses only on the methods commonly used in intrusions that can be blocked through individual action, (2) is delivered in short online modules convenient for employees (3) is updated frequently (at least annually) to represent the latest attack techniques, (4) is mandated for completion by all employees at least annually, and (5) is reliably monitored for employee completion.”

So I wasn’t the least bit surprised a few years ago when my team of security researchers was asked to take security awareness training. But, it did seem funny that this group, the most security aware people I know, were taking the same training as the HR team.

Not that I think they minded that much, as the online training quickly became a game of how could you hack the online training to give you a passing score without having to sit through an hour of videos (hint: although you may not be able to comprehend 15 videos playing simultaneously on your screen, it does substantially reduce how long it takes to watch 15 videos).

This does seem to be a common issue, though, and so I think it is valuable to give some options to the security pros in your organization. There is an opportunity to turn what is for them an annoying waste of an hour into something productive and valuable to the business. Here are a few ideas for implementing this control:

Give an “Advanced Option” as Part of Awareness Training

Anyone that really knows their stuff with security would probably opt to learn something useful instead of rehash what they already know. I recently made a technical report about how large organizations implement vulnerability management mandatory reading for one of my teams.

That probably took about as much time to read as an online awareness training class would take, but for this group I’d say it is far more valuable to educate them on one particularly relevant area of security, rather than cover the basics again. An advanced option could come from the same training system as your basic class, or it could be as simple as an instruction to watch a webinar or read a new report on an area of security.

Offer a Security Project in Lieu of training

For the security pros, your organization will probably get more out of them if they do something for security instead taking a class. We do brown bag trainings at our office, so if someone is willing to spend an hour teaching others about an area of security they are an expert at, why not let that fulfill their awareness duty for the year?

Or how about an assignment to design some posters reminding people of key security basics and put them up? If a security pro is willing to spend the time to do something to increase awareness for the organization, let them do it!

Turn Security Awareness into Continuing Security Education

The 20 CSC suggest reiterating training with updates annually, but many organizations have a tendency to repeat the exact same regimen every year. What about creating a program in your organization that encourages and offers continuing education around security for your employees, instead of simply repeating the same training options?

Those with professional certifications in security, like a CISSP, know that Continuing Professional Education credits are required to stay certified. That does not mean they need to go back over the original certification materials.

Whether you have the budget to offer external training opportunities to employees, or spend time creating a simple internal system of training credits, giving security pros the option to be exempt from awareness training as long as they have completed some security education in the previous time period makes sense.

Some small tweaks like this can make your security pros a little more appreciative of their company’s own policies, while benefiting the company at the same time – a cheap win-win.

So the next time that reminder goes out to your employees that they need to complete the annual security awareness training, spend a few minutes thinking about how you can make your pros happy while keeping them educated instead.

This was cross-posted from Tripwire's The State of Security blog.

5924
Budgets Enterprise Security Policy Security Awareness Security Training
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked