Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Monday, 23 May, 2022
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

What types of companies are seeking IT security training, and why?

by The Gurus
March 27, 2015
in This Week's Gurus
Share on FacebookShare on Twitter

It’s a common belief that security training is one of the largest bugbears for CISOs. Why do you think this is, and how can it be resolved? I must step back a couple of decades to argue who needs IT security training and why.
 
I’ve been involved in information security throughout that time, which includes the time before IT was a staple of office life. In those days, before the internet and office networked computers, security training was a casual business with no particular requirements on how – or how often – it should be given or governed.
 
It was not long after the arrival of office-based IT systems that security officers had to respond to the ‘new’ problems of hacking and malware. I would place that around the mid-1990s, which I consider marked the ‘first wave’ in an awakening of IT security training, education and awareness.
 
Stepping ahead a few years, there was a tranche of US legislation that imposed new privacy laws, but for me the early 2000s marked a ‘second wave’ of IT security training, when the security threats from new technologies and requirements of a wide range of laws began to converge.
 
Highlighting the new focus of law onto corporate ethics, the Department of Justice started commenting on corporate culpability, in order to fine-tune its sentencing guidelines and in 2011, the DoJ concluded that due diligence and the promotion of a culture that encouraged ethical conduct and legal compliance were essential building blocks for effective compliance programs. This, I believe, heralds the ‘third age’ of security education, when legal rulings from the earlier laws began to impact training and awareness requirements. By this point, security training had moved all the way from something that was just a routine into a process that could make a difference in court.
 
Why is this a headache?
In those relaxed days before IT, it was easy. Security officers could pick what they wanted to say and put their one-off messages into a presentation for new staff. When I first started in security, this would be followed up by an annual reminder for staff to read the security handbook, with a tick-box to confirm they had done so.
 
Not only was this approach easy, it was probably useless. We’ll never know, because the essential element of assurance was missing until at least the ‘second wave’ of training that I outlined above. In the mid-1990s, the UK Government saw that the new age of information security required effective processes and initiated what would evolve into the ISO 27000 series. These are now mature, international standards that are highly supportive of a wide range of security processes. They are not however cheap or easy to implement, and it can be difficult to convince senior managers of the business advantages of its mainstay ISO framework.
 
Another headache is the competition for resources between HR and security. When HR and security are not aligned, it is likely that security will be the loser, since HR is usually the bigger partner in any organisation. Security officers therefore need a certain amount of “soft” skills to fit security with the priorities of the larger partner, while at the same time preserving the distinct security professionalism and identity.
 
Consider these challenges in IT security training:
 

  • Professional training standards are required by security staff, some of whom may not be suited to this specialism. A negative response to a security presentation can impact operations while bringing the reputation of the profession into disrepute.

 

  • Difficulties in adapting security messages to the fast-paced environment of emerging and changing threats, coupled with the natural problem of keeping staff up to date and informed of the latest threats in ways that will effectively mitigate them. Keeping training and awareness fresh and relevant, while making it do its job of lessening risks is a major juggling act, to which not all who call themselves IT security specialists are suited.

 

  • Requirements in standards (e.g. ISO 27001) and expectations in some laws (like HIPAA) to measure the effectiveness of the training given can make an already challenging task seem insurmountable. How can you ensure the effectiveness of training, other than by the absence of problems it highlights? In the past, this might have just been classed as a ‘known unknown’, but modern business practice and some of the new legislation requires effective implementation that is also quantifiable.

 
This needs some thought and careful application, suited to the needs of your particular organisation. It is increasingly possible to integrate desktop training packages which measure the requirements of staff to some basic level questions on what they have been taught. These resources are helpful in uncovering how much has been taken away from learning or awareness exercises.
 
Putting aside any deliberate spoilers, as well as those over-anxious at the outcome of a “fail” mark, it should be possible to assess enough data to manage the effectiveness of the material. Security trainers should not, however, rely solely on technology to judge the impact of their training, but also be ready to interview small groups of staff, to get a human view on how the training has been received.
 
When taken alongside the new privacy laws, we can now see the early 21st century as a gathering of new legal requirements which called for (and in some cases, mandated) effective security training. With origins in a barebones, operational requirement, security education, training and awareness has developed into a large specialism that is underpinned by laws and regulations.
 
It is no longer optional in most industries, but delivering it effectively requires specialist understanding and application. Communicating the message is probably more important than any one particular threat it highlights: making security credible to the end user is the key to successful implementation of any security measure.
 
John G. Laskey is a security researcher for the InfoSec Institute
 

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

Sony and Microsoft gaming divisions consider partnership to deal with DDoS

Next Post

Google loses appeal over Safari cookie claims

Recent News

chinese flag

Chinese hackers caught spying on Russian defence institutes

May 23, 2022
doge coin

Cryptocurrency scammers use Elon Musk deep fake

May 23, 2022
hacker using computer

Conti ransomware group disbands

May 20, 2022
Xerox Corporation victim of Maze ransomware

Who is UNC1756 – the hacker threatening Costa Rica?

May 19, 2022

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information