Information security training is a journey, it takes time but standards demand capabilities.
Speaking at the Think Charity conference in London, organised by the Charities Security Forum, (ISC)2 EMEA managing director Adrian Davis said that being part of the security profession gives you certain rights and responsibilities, but as we try to create more of a profession, we need to be aware of what is going on.
“There is a 25 per cent growth in Europe in standards,” he said. “The Government is using ISO 27001 and if you are not, there is a gap in your professional knowledge. Also it is not just about PCI DSS compliance, you can implement the Cyber Essentials scheme which is cheap, easy and a great place to start.”
Davis encouraged delegates to consider how the adversary works, and said that what they do is what we “need to know about and implement and recommend and remediate and address”.
He said: “The skills of hackers are good and we deal with people who are interested in you and after your money and you need knowledge to defend against them and the better equipped and better knowledge you have and better you communicate it, the better for you and your organisation.
“Ten to twelve years experience is no longer enough, you need to top up with more knowledge and if you want to change jobs, it always looks better with letters after your name!”
Moving on to staff training, Davis said that as staff are not experts, and never will be unless they follow you, you need to tell them when and how to do things right and do the right thing every day in their jobs. “You have a responsibiliy to employees so you can recommend how to put up minimum defence,” he said.
“Only two policies get read – expenses and holiday. Think about what you get from it, as long as you get value and what the organisation needs. How do you make them secure and help them, and how do you help the organisation do things more securely. That is the key to your training.”
Davis concluded by saying that change what it is you do, as you need to talk to people who understand but may not be experts in communications, so use those staff who have expertise in communications and tailor messages to the different people that you want to reach.
He said: “It is a journey. If they do it once, they remember it for two days. Bring people along and get them to listen and accept what you are telling them is important. It takes time and the only thing you can do is to give it time. It is frustrating but if you don’t, you don’t get anywhere.”