278 ◾ Security Strategy: From Requirements to Reality
4. Security Development Lifecycle training for IT application designers, testers, and
developments.
Here are some examples of shifts in training requirements for organizations that are moving
toward a security aware culture—a culture where security is Job 1 for all employees.
1. In an article titled “Staff Training Crucial to Successful Security Program,” Bill McShane,
director of loss prevention and life safety at Affi nia Hospitality, stated, “Security used to be
a stepchild of the hotel. It has not only become an important issue, but it is a competitive
advantage because guests are so much more concerned with security. We educate all of our
staff in security basics,” he said. “We hope to have the entire staff working as a protection
team.”
2. In another example cited in a Network World article titled “Security Training 101” New York
State developed a hands-on anti-phishing exercise in conjunction with the Anti-Phishing
Working Group, AT&T, and the SANS Institute. is exercise included some 10,000
employees, who were unaware they were participating in the exercise. If participants fell
victim to the phishing attack in the exercise, they were immediately routed to a brief tutorial
on phishing scams. Two months later, they followed up with a diff erent phishing scam and
saw a 50% improvement in employee response.
3. Many security breaches are also identifi ed and reported by nonsecurity personnel. Let’s take
industrial espionage attempts, for example. In our experience working with international
sales groups, many of the specifi c incidents utilized in the security training we helped design
came from sales representatives, executives, support personnel, and in-country offi ces that
had reported either foiled or successful espionage attempts.
Attempts ranged from laptop thefts, communications intrusions, cybertheft, and more. Some
incidents were also reported by the extended enterprise (including suppliers, customers, and in
some cases, even competitors) who provided either evidence or suspicions of industrial espionage
attempts. Other incident data came from security group personnel audits and observations, from
government groups monitoring the industry, and from other organizational audits that turned up
suspected incidents.
From this compiled data, security worked with an outside vendor to design and deliver specifi c
training for executives, sales personnel, and enterprise employees likely to be the target of espio-
nage attempts with specifi c information regarding the tactics employed, how to best thwart those
tactics, and how to report incidents. In addition, individual executives and sales force representa-
tives, as well as in-country focus groups, were conducted to better assess how to deliver an eff ective
program to enterprise personnel.
Besides just telling employees about security attacks that have proven successful, other training
techniques such as mock scenarios to interact with, role-based training, and computer simulations
can be used to improve eff ectiveness. e key to eff ective training is taking a blended approach
that utilizes active involvement techniques, as well as awareness and information techniques.
Security Staff Training
Security staff training requires careful, systematic planning for developing staff knowledge, skills,
and abilities for both today’s and tomorrow’s security work. When you think of your security staff
and training requirements, questions such as these should arise: What is the depth of current staff
TAF-K11348-10-0301-C014.indd 278TAF-K11348-10-0301-C014.indd 278 8/18/10 3:12:56 PM8/18/10 3:12:56 PM