275
14Chapter
Security Awareness Training
Security is always excessive until it’s not enough.
Robbie Sinclair
Head of Security, Country Energy, NSW Australia
Introduction
As security budgets fl atten or diminish in economic downturns, the monies available for training
shrink. e challenge for any training is determining what training, where, and for whom, as
well as what technologies and methods to employ for best impact
and ROI (return on investment). Meanwhile, security compliance
requirements are increasing; penalties, fi nes, and lawsuits for
breaches of security seem to fi ll headlines; and security issues are
increasingly a high-priority issue for many businesses (most nota-
bly of late, data security). e requirements for training remain a primary focus for all security
groups. e question now more than ever is how to do it effi ciently with greater impact, espe cially
in compliance domains. Whether your security group is responsible for security awareness
training and education, or requirements have been sourced to an enterprise training group or an
external supplier, the discussions in this chapter should help you refi ne security training
requirements.
We have more than 50 years of combined experience as teachers, trainers, and consultants, and
both of us are avid, lifelong learners. Our sojourns have taken us into many cultures, as well as into
organizations of business, education, government, and nonprofi t
groups around the globe. In our careers, we have helped design,
deliver, and evaluate literally hundreds of courses to learners of
every kind and stripe, while having the good fortune to work with
brilliant minds from major universities around the globe. Training
is not adequate to describe what is required for organizations to
remain relevant and credible in the marketplace today. We’re not sure even transformational learn-
ing, learning organization, or collaborative learning are enough to describe what is needed today.
The mantra of any good security engi-
neer is: “Security is a not a product, but
a process.”
Bruce Schneier
If you spend more on coffee than on
IT security, you will be hacked. What’s
more, you deserve to be hacked.
Richard Clarke
White House Cybersecurity Adviser
TAF-K11348-10-0301-C014.indd 275TAF-K11348-10-0301-C014.indd 275 8/18/10 3:12:56 PM8/18/10 3:12:56 PM
276 ◾ Security Strategy: From Requirements to Reality
In this chapter we will review the basic standards required for awareness training, and we will also
consider some of the issues that security must address as enterprises continue to strategically trans-
form the way they do business.
As organizations begin moving toward a commitment-based security model, as outlined by the
American Center for Strategic Transformation, the educational requirements for security become
increasingly important. A commitment-based security group provides employee training that well
verses employees in potential security threats and the actions they should take. In the commitment-
based model, the security group regularly shares information with employees and seeks feedback
on how to enhance their performance. Ideas for implementation into security strategy and practice
can come from anywhere in the organization. e security function collaborates with the enter-
prise to determine what combinations of technology and people practices best provide the appro-
priate level of security. And most importantly, the security function is seen favorably as a critical
player and true business partner. In essence, security has become part of the enterprise DNA, and
security functions are continuously improved by learning together how to get better.
Regardless of the current model your security group functions in (or the model you are work-
ing toward), there are several major categories of training that security groups need to manage
well. e fi rst category is staff development for present and future skill requirements. is includes
security staff requirements (present and future skills), as well as enterprise staff security training
requirements. Security staff requirements include:
Security training requirements and certifi cations required by outside agencies ◾
Training requirements and certifi cations required internally ◾
Future training requirements (caused by technology changes, organizational changes) ◾
Enterprise staff training includes:
Orientation training ◾
Annual training ◾
Issue training for general population or specifi c groups ◾
e second major category is security awareness training, which includes:
High-level executive awareness of prime security issues ◾
Awareness programs for engaging specifi c groups ◾
General security awareness training for employees ◾
Security awareness segments included in employee orientation programs ◾
In many security groups, awareness training may also be mandated by outside agencies that
require various types of awareness training to be deployed in conjunction with international,
federal, state, or local agency policies.
For the purposes of this chapter we will focus on security staff development and security
awareness training eff orts. First, let’s take a moment to articulate the diff erences between aware-
ness and training.
Awareness is simply the eff orts of security to focus people in the organization they serve on
security issues. By focus we mean how to identify common risks and how to appropriately respond
to that risk. For example, awareness eff orts may involve topics such as recognizing and responding to
suspicious behavior, phishing attack s, or social engineering attempts to gain access to organizational
TAF-K11348-10-0301-C014.indd 276TAF-K11348-10-0301-C014.indd 276 8/18/10 3:12:56 PM8/18/10 3:12:56 PM
Security Awareness Training ◾ 277
information, property, or people. Awareness training is normally aimed at a broader audience and
uses marketing tactics and selected communication technologies to deploy the message.
Training focuses on how to produce relevant and needed security skills and competency.
Training is a more formalized approach to building the knowledge, skills, and abilities (KSAs) to
help employees do their jobs in a way that does not compromise organizational assets. In train-
ing, the audience is typically much more engaged in the process and expected to be an active
participant. Training may also be much more specifi c to the audience group and require more
segmentation of KSAs required for a particular organizational group (i.e., International Sales vs.
Engineering and a security training session in thwarting industrial espionage attempts).
Staff Development Training
is job is a test. It is only a test. If this had been a real job you would have had:
- Recognition for good work
- Pay commensurate with your expertise & results
- Promotions to greater responsibilities.
Unknown Author
ere are several levels of staff training to consider for both the security staff itself and the organi-
zational staff that is expected to perform security functions themselves (beyond a general aware-
ness of security issues and reporting them).
As we discussed in prior chapters, as an organization moves down a security model contin-
uum from compliance- to commitment-based security, a change occurs for all staff members
regarding their responsibility for security, which usually involves specifi c training for additional
skills (just as quality and productivity movements did in prior
decades). All too often security training for enterprise staff is met
with universal groans and sighs of “Here we go again.” Security
training must be timely, applicable, interesting, and enjoyable to
matter. Let’s look at techniques that work.
General Staff Security Training
Creative minds have always been known to survive any kind of bad training.
Anna Freud
Typically, there are some general training requirements for all staff in an enterprise and some
nonsecurity personnel that require specialized training because of the security requirements of the
organization. Requirements for general staff are as follows:
1. Knowledge of the general structure and operation of security—Where to fi nd information,
who to call, as well as information about policies and standards, compliance expectations,
and penalties for noncompliance.
2. Training on proactive security techniques—Detecting malicious activity, answering the
question, what’s wrong with this picture?
3. Training for a security role if their work is associated with security but not in the security
department.
I hated every moment of training, but I
said, “Don’t quit. Suffer now and live the
rest of your life as a champion.”
Muhammad Ali
TAF-K11348-10-0301-C014.indd 277TAF-K11348-10-0301-C014.indd 277 8/18/10 3:12:56 PM8/18/10 3:12:56 PM
278 ◾ Security Strategy: From Requirements to Reality
4. Security Development Lifecycle training for IT application designers, testers, and
developments.
Here are some examples of shifts in training requirements for organizations that are moving
toward a security aware culture—a culture where security is Job 1 for all employees.
1. In an article titled “Staff Training Crucial to Successful Security Program,” Bill McShane,
director of loss prevention and life safety at Affi nia Hospitality, stated, “Security used to be
a stepchild of the hotel. It has not only become an important issue, but it is a competitive
advantage because guests are so much more concerned with security. We educate all of our
staff in security basics,” he said. “We hope to have the entire staff working as a protection
team.”
2. In another example cited in a Network World article titled “Security Training 101” New York
State developed a hands-on anti-phishing exercise in conjunction with the Anti-Phishing
Working Group, AT&T, and the SANS Institute. is exercise included some 10,000
employees, who were unaware they were participating in the exercise. If participants fell
victim to the phishing attack in the exercise, they were immediately routed to a brief tutorial
on phishing scams. Two months later, they followed up with a diff erent phishing scam and
saw a 50% improvement in employee response.
3. Many security breaches are also identifi ed and reported by nonsecurity personnel. Let’s take
industrial espionage attempts, for example. In our experience working with international
sales groups, many of the specifi c incidents utilized in the security training we helped design
came from sales representatives, executives, support personnel, and in-country offi ces that
had reported either foiled or successful espionage attempts.
Attempts ranged from laptop thefts, communications intrusions, cybertheft, and more. Some
incidents were also reported by the extended enterprise (including suppliers, customers, and in
some cases, even competitors) who provided either evidence or suspicions of industrial espionage
attempts. Other incident data came from security group personnel audits and observations, from
government groups monitoring the industry, and from other organizational audits that turned up
suspected incidents.
From this compiled data, security worked with an outside vendor to design and deliver specifi c
training for executives, sales personnel, and enterprise employees likely to be the target of espio-
nage attempts with specifi c information regarding the tactics employed, how to best thwart those
tactics, and how to report incidents. In addition, individual executives and sales force representa-
tives, as well as in-country focus groups, were conducted to better assess how to deliver an eff ective
program to enterprise personnel.
Besides just telling employees about security attacks that have proven successful, other training
techniques such as mock scenarios to interact with, role-based training, and computer simulations
can be used to improve eff ectiveness. e key to eff ective training is taking a blended approach
that utilizes active involvement techniques, as well as awareness and information techniques.
Security Staff Training
Security staff training requires careful, systematic planning for developing staff knowledge, skills,
and abilities for both today’s and tomorrow’s security work. When you think of your security staff
and training requirements, questions such as these should arise: What is the depth of current staff
TAF-K11348-10-0301-C014.indd 278TAF-K11348-10-0301-C014.indd 278 8/18/10 3:12:56 PM8/18/10 3:12:56 PM
Security Awareness Training ◾ 279
skills, and will they be relevant tomorrow? Are they getting the required ongoing training? Are
they familiar with security policies, procedures, and their roles and responsibilities? Are regular
readiness exercises and awareness sessions scheduled? Among some of those training consider-
ations that must be considered are the following.
Security Staff Training Requirements
1. Training necessary to keep certifi cations
2. Training necessary to maintain skills (includes practice drills for incidents and disasters)
3. Training necessary to prepare for the introduction of new technologies
4. Training necessary for employees to gain a new perspective and develop additional skills
(keeps employees growing and learning and prepares them to better manage multiple sec-
tions of security)
5. Training required to show due diligence
6. Training to ensure coverage (cross training so that two people are always available for any
given security technology or function) and reduce audit fi ndings of insuffi cient training
records
7. Training for technology migrations/upgrades (not new stuff but changes enough that get-
ting a handle on the new features is needed)
8. Training for social networking with other professionals, learning what is working for others,
latest trends, benchmarking, and so on
9. Training so that managers of high-risk staff positions have the skills to properly oversee staff
and deal with bad behaviors and other issues before they spin out of control
Compliance, risk management, and business continuity requirements drive expanding training
considerations among security departments as well. Increasingly, organizations must ask if their
security systems, people, and procedures are all aligned. For instance, it is important to consider
operational and physical security measures while accomplishing information security tasks. Your
business continuity and crisis management plans must also include operational and physical secu-
rity elements and the training requirements that are part of fulfi lling security’s responsibilities.
Depending on the complexity of your enterprise, you may have a lot of job types to manage
under very diff erent requirements. ese may range from industrial security job types, which
require many U.S. Department of Defense (DOD) certifi cations, to all types of security profes-
sionals ranging from investigators, security guards, fi refi ghters, closed circuit television (CCTV)
personnel, badging, lobby services, protective services, security dog handlers, international secu-
rity groups, not to mention IT security categories such as specialists, consultants, operations man-
agers, security analysts, engineers, identity access managers, and more.
Working with Human Resource (HR) departments helps determine the job categories and
responsibilities in greater detail and specifi city. Developmental tracks across multiple sectors of
security are also important to consider for developing cross-functional capabilities and manage-
ment bandwidth. It is not our intention to provide specifi c details regarding how best to detail
the levels within a security career grouping or how best to approach cross-functional training.
But we do want to emphasize the importance of both of them, as well as building in a plan for
future skill requirements for your security group. Too often, organizations employ new technology
without providing the prerequisite training that allows security personnel to successfully man-
age that deployment. Training plans and budget should be part of the overall planning for new
technology.
TAF-K11348-10-0301-C014.indd 279TAF-K11348-10-0301-C014.indd 279 8/18/10 3:12:56 PM8/18/10 3:12:56 PM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.