It’s a common belief that security training is one of the largest bugbears for CISOs. Why do you think this is, and how can it be resolved? I must step back a couple of decades to argue who needs IT security training and why.
I’ve been involved in information security throughout that time, which includes the time before IT was a staple of office life. In those days, before the internet and office networked computers, security training was a casual business with no particular requirements on how – or how often – it should be given or governed.
It was not long after the arrival of office-based IT systems that security officers had to respond to the ‘new’ problems of hacking and malware. I would place that around the mid-1990s, which I consider marked the ‘first wave’ in an awakening of IT security training, education and awareness.
Stepping ahead a few years, there was a tranche of US legislation that imposed new privacy laws, but for me the early 2000s marked a ‘second wave’ of IT security training, when the security threats from new technologies and requirements of a wide range of laws began to converge.
Highlighting the new focus of law onto corporate ethics, the Department of Justice started commenting on corporate culpability, in order to fine-tune its sentencing guidelines and in 2011, the DoJ concluded that due diligence and the promotion of a culture that encouraged ethical conduct and legal compliance were essential building blocks for effective compliance programs. This, I believe, heralds the ‘third age’ of security education, when legal rulings from the earlier laws began to impact training and awareness requirements. By this point, security training had moved all the way from something that was just a routine into a process that could make a difference in court.
Why is this a headache?
In those relaxed days before IT, it was easy. Security officers could pick what they wanted to say and put their one-off messages into a presentation for new staff. When I first started in security, this would be followed up by an annual reminder for staff to read the security handbook, with a tick-box to confirm they had done so.
Not only was this approach easy, it was probably useless. We’ll never know, because the essential element of assurance was missing until at least the ‘second wave’ of training that I outlined above. In the mid-1990s, the UK Government saw that the new age of information security required effective processes and initiated what would evolve into the ISO 27000 series. These are now mature, international standards that are highly supportive of a wide range of security processes. They are not however cheap or easy to implement, and it can be difficult to convince senior managers of the business advantages of its mainstay ISO framework.
Another headache is the competition for resources between HR and security. When HR and security are not aligned, it is likely that security will be the loser, since HR is usually the bigger partner in any organisation. Security officers therefore need a certain amount of “soft” skills to fit security with the priorities of the larger partner, while at the same time preserving the distinct security professionalism and identity.
Consider these challenges in IT security training:
- Professional training standards are required by security staff, some of whom may not be suited to this specialism. A negative response to a security presentation can impact operations while bringing the reputation of the profession into disrepute.
- Difficulties in adapting security messages to the fast-paced environment of emerging and changing threats, coupled with the natural problem of keeping staff up to date and informed of the latest threats in ways that will effectively mitigate them. Keeping training and awareness fresh and relevant, while making it do its job of lessening risks is a major juggling act, to which not all who call themselves IT security specialists are suited.
- Requirements in standards (e.g. ISO 27001) and expectations in some laws (like HIPAA) to measure the effectiveness of the training given can make an already challenging task seem insurmountable. How can you ensure the effectiveness of training, other than by the absence of problems it highlights? In the past, this might have just been classed as a ‘known unknown’, but modern business practice and some of the new legislation requires effective implementation that is also quantifiable.
This needs some thought and careful application, suited to the needs of your particular organisation. It is increasingly possible to integrate desktop training packages which measure the requirements of staff to some basic level questions on what they have been taught. These resources are helpful in uncovering how much has been taken away from learning or awareness exercises.
Putting aside any deliberate spoilers, as well as those over-anxious at the outcome of a “fail” mark, it should be possible to assess enough data to manage the effectiveness of the material. Security trainers should not, however, rely solely on technology to judge the impact of their training, but also be ready to interview small groups of staff, to get a human view on how the training has been received.
When taken alongside the new privacy laws, we can now see the early 21st century as a gathering of new legal requirements which called for (and in some cases, mandated) effective security training. With origins in a barebones, operational requirement, security education, training and awareness has developed into a large specialism that is underpinned by laws and regulations.
It is no longer optional in most industries, but delivering it effectively requires specialist understanding and application. Communicating the message is probably more important than any one particular threat it highlights: making security credible to the end user is the key to successful implementation of any security measure.
John G. Laskey is a security researcher for the InfoSec Institute