Security Awareness Training ◾ 285
Extended Enterprise Approach to Awareness Training—Liz Claiborne, Inc., summarizes the
lessons learned from its deployment of a program dedicated to the issue of domestic violence.
( is is an example of an organization taking security issues out into the extended enterprise, the
personal and work lives of employees.) In the program called “Women’s Work,” which is designed
to generate awareness of the pervasiveness of domestic violence, Liz Claiborne, Inc., states that
its intent is to give back to those who have made the company successful—their consumers and
employees. e primary lessons Liz Claiborne learned from over a decade of running this aware-
ness program are as follows:
Make a genuine commitment to the issue. Liz Claiborne credits the success of the program ◾
to the company’s genuine passion for and commitment to the issue.
Get senior-level buy-in. It is critical to have the support and commitment of senior manage- ◾
ment. In particular, it is helpful to have someone with decision-making authority champion
the cause.
Acknowledge the contribution of all partners. Liz Claiborne makes a concerted eff ort to ◾
recognize the contributions of the nonprofi t partners and acknowledge the benefi ts of part-
nership to the corporation.
Enlist experts. It is important that companies partner with experts in the fi eld when taking ◾
on an issue.
Just as Liz Claiborne successfully linked a security awareness program to its brand both inter-
nally and externally, so too, can security groups link eff orts like Workplace Violence and other
employee awareness issues to organizational core values for the benefi t of employees, consumers,
and the extended enterprise.
Simulations— e military has made use of simulations for thousands of years to better prepare
their forces. Simulations are now used at war colleges, in national emergency preparedness exer-
cises for Top Offi cials (TOPOFF) in government and industry, and in national and international
communities and within private industry and universities. Tabletop exercises are becoming more
common from the CSO level to the fi rst-line security professional as a means of honing responsive-
ness to crisis plans and the like.
CSO magazine, in an article titled “Security Simulations: is Is Only a Test,” written by
Deborah Radcliff , reported on 2004 conferences hosted by Homeland Security and the Secret
Service. ese workshops utilized a two-day simulation for top offi cials in fi nancial, IT, and oil
and gas industries. Simulations now blend both physical and online attacks throughout the expe-
rience, giving respondents the chance to build detailed responses. Although simulations are not
inexpensive to create and implement (they cost $250,000 per session), they are being used increas-
ingly in training people in many aspects of security responsiveness (cybercrime, terrorist attacks,
business continuity, fi rst-responder preparedness, industrial espionage, data protection, and more).
One of the key advantages of simulations is the interagency cooperation that is required in order
to be successful.
Both of us have worked with many vendors to produce various simulations for both national
and international use. e simulations we have worked with have included computer simula-
tions, social gaming simulations, business simulations, virtual simulations, table top, interactive,
immersive, and war gaming simulations. Eric worked for years in a building where multimillion
dollar fl ight simulators were housed for pilots to learn to fl y in various models of airplanes. ose
were amazing simulators to say the least. From our experience, we would underscore the need for
careful planning, budgeting, and beta-testing of simulations prior to roll out. e consistency of
TAF-K11348-10-0301-C014.indd 285TAF-K11348-10-0301-C014.indd 285 8/18/10 3:12:56 PM8/18/10 3:12:56 PM
286 ◾ Security Strategy: From Requirements to Reality
experience, participant immersion, and analysis possible in a simulation are strong attributes of
this approach. Many simulation suppliers can help craft high-quality simulations. Visual Purple,
Skybox, Xenon, CAE Professional Services, and Pregasis are just a few of the companies that can
provide simulation expertise.
Training Resources
Myriad security training resources, as well as companies, consultants, and other organizations,
are available that can help a security group design training and awareness programs. Strategically,
building security practices into the fabric of any extended enterprise can help decrease costs in
terms of software developmental cycles, costs of security incidents, and intellectual property and
data loss, and can also create strong elements of customer value in an enterprise’s products and
services. Choose partners who can assist you in developing security training and awareness pro-
grams that are integrated into enterprisewide security values, ethics, and cultural norms. Training
and awareness programs should be built to create high-level employee commitment to creating a
safe and secure workplace. While budgets for security may be understood more as an investment
and not just as a cost in creating an organizational brand, it remains important for security leader-
ship to make wise use of training dollars for education and awareness eff orts that include not just
training but enforcement, posters, bulletins, newsletters, and so on. Following is a discussion of
some of the most recognized national and international organizations in the security training and
certifi cation business.
ASIS International, established in 1955, has been helping security professionals develop
through its extensive educational programs and materials that address broad security interests.
ASIS has more than 200 chapters worldwide that also sponsor educational programs and focus on
local security professional issues. ASIS is continuously involved in setting national and interna-
tional standards for security practices worldwide.
CSO Executive Programs/Seminars/Perspectives is another great networking opportunity
with the additional benefi t of in-depth discussions and seminars with other senior-level security
professionals. If you are one of the security industry’s best and brightest, you’ll fi nd your way to
these forums.
International Information System Security Certifi cation Consortium (ISC)
2
touts its cer-
tifi cations as the “international gold standard” against which all other certifi cations are measured.
(ISC)
2
was founded in 1989 as a nonprofi t organization dedicated to the creation of stringent global
standards and certifi cations for IT professionals. Its accreditations have been formally approved by
the U.S. Department of Defense. In 2002 these accreditations were adopted as the baseline for the
U.S. National Security Agency’s Information Systems Security Engineering Professional (ISSEP)
program. Professionals may also obtain certifi cations in three distinct IT arenas:
1. Information Systems Security Architecture Professional (ISSAP)
2. Information Systems Security Engineering Professional (ISSEP)
3. Information Systems Security Management Professional (ISSMP)
(ISC)
2
credentials require 40 hours of ongoing learning (CPEs) each year and must be renewed
every three years.
e Conference Board has been operating as a global, independent, nonprofi t membership
organization working in the public interest for nearly a century. Currently, the Conference Board
TAF-K11348-10-0301-C014.indd 286TAF-K11348-10-0301-C014.indd 286 8/18/10 3:12:57 PM8/18/10 3:12:57 PM
Security Awareness Training ◾ 287
has over 2,000 member companies. It is a great source for learning the latest trends about manage-
ment and the marketplace. While geared toward organizational leaders, security professionals can
glean much from this organization’s research, conferences, forecasts, trends analysis, and white
papers. eir topic areas cover security-related subjects such as risk management, operations and
business processes, corporate governance, ethics and compliance, C-Suite forums for chief privacy
offi cers, and leadership development. Attendees to conferences will hear fi rsthand what their peers
are doing in multiple industries.
ISACA (the Information Systems Audit and Control Association) is a recognized leader in the
global IT governance. Begun in 1967, ISACA is a global organization for information governance,
control, security, and audit professionals. Its IS auditing and IS control standards are followed
by practitioners worldwide. ISACA currently has 86,000 members from around the world and
provides a lively forum for its membership to share widely divergent viewpoints on a variety of pro-
fessional topics. IT professionals can also obtain certifi cations through ISACA’s educational pro-
grams in Certifi ed Information Systems Auditor (CISA), Certifi ed Information Security Manager
(CISM), Certifi ed in the Governance of Enterprise IT (CGEIT), and the soon-to-be-rolled-out
Certifi ed in Risk and Information Systems Control™ (CRISC™) designation.
e NSI (National Security Institute) was founded in 1985 by Stephen S. Burns and David
A. Marston. Marston and Burns are two leading-edge security practitioners who have had many
years of experience in government and corporate security environments. e NSI has become one
of the leading organizations in assisting contractors in understanding threats to U.S. national
security. Burns and Marston’s employee security awareness programs are also widely used by
America’s top corporations to educate employees to the risks of critical information loss from
hackers, spies, and data thieves.
e SANS (SysAdmin, Audit, Network, Security) Institute is one of the largest sources
for information security training. It was established in 1989 as a cooperative research and
education organization. SANS has over 165,000 security professionals from around the world
working together to help the entire information security community. You will fi nd many of the
SANS resources free for the asking, as well as many educational and training resources avail-
able, including the largest collection of research documents about various aspects of informa-
tion security.
e Transglobal Secure Collaboration Program (TSCP) is a government–industry part-
nership focused on mitigating risk in the aerospace and defense (A & D) industry. TSCP is a
relatively new organization that was begun with a number of aerospace and defense companies
in Europe and the United States to solve the problems of information sharing between gov-
ernments, companies, and individuals. TSCP works with vendors, supply chain participants,
defense and aerospace agencies, and trade associations to ensure and provide more secure collab-
oration throughout the extended enterprise of the A&D industry. One of the important aspects
of TSCP is its provision for a collaborative environment for elements of an extended industry
value “system” to discuss mutually benefi cial rules and requirements to create a secure working
environment.
Innumerable U.S. government organizations including the following are also helpful for secu-
rity personnel involved in defense contracting or related security issues:
(DISAM) Defense Group of Security Assistance Management ◾
e U.S. Department of Transportation’s Federal Transit Administration (FTA) ◾
Federal Emergency Management Administration (FEMA) ◾
Transportation Security Administration (TSA) ◾
TAF-K11348-10-0301-C014.indd 287TAF-K11348-10-0301-C014.indd 287 8/18/10 3:12:57 PM8/18/10 3:12:57 PM
288 ◾ Security Strategy: From Requirements to Reality
U.S. Department of Homeland Security ◾
Customs and Border Protection (CBT) ◾
Customs Trade Partnership Against Terrorists (CTPAT) ◾
Port and Maritime Security ◾
National Technical Information Service (NTIS) ◾
National Institute of Standards and Technology (NIST) ◾
Many other government groups exist that have national and international training or information
that will provide the knowledge, skills, and certifi cations needed in the many sectors of security
that interact with these agencies and their policies.
In addition, many international organizations provide global scope regarding similar issues,
including the International Security Industry Organization (ISIO), World Customs Organization
(WCO), International Standards Organization (ISO), International Air Transport Association
(IATA) and others that may be relevant depending on which industry or government sector you
work in.
Many more resources are to be found in any number of forums, organizations, consultant
groups, and issue-related seminars sponsored by nonprofi t, academic, government, and private
interest groups. ese can be helpful in gaining additional insight into security training issues and
complexities at a local, state, national, and international level. Here are a few examples of these
types of resources:
Fuld Gilhad Herring Academy of Competitive Intelligence (ACI), ◾ which is an educa-
tional institution dedicated to training managers and companies in better managing risks
and anticipating new market opportunities through the use of superior competitive intel-
ligence. ACI is recognized for its expertise in competitive intelligence by Business Week,
CNBC, e Economist, Fast Company, Forbes, Fortune, Fox News, e New York Times,
the United Nations, and e Wall Street Journal.
Wharton/ASIS Program for Security Executives ◾ is an example of a well-regarded mini-
MBA-type academic program that is a collaboration among the Wharton School, the
University of Pennsylvania, and ASIS International. ese shorter programs can be ideal
for security executives who need to sharpen skills in managerial and strategic perspectives
and develop their bottom-line business instincts. ese types of two-week to month-long
programs can be ideal for security leaders who have limited time, and yet want to continue
to hone their ability to maximize organizational impact and model continuous learning.
e Rand Corporation ◾ is another nonprofi t organization dedicated to improving policy
and decision making through research and analysis. It off ers many educational and informa-
tional resources that are cutting edge in many fi elds, including many of the major security
issues that currently face the world. Rand makes many workshops, internship opportunities,
tools, and seminars available for the security professional interested in gaining insight and
understanding of many crucial issues of the times. If you desire a learning track with inde-
pendence, rigor, discipline, and an interdisciplinary approach, you will fi nd a broad range of
subjects of interest to a security practitioner.
CERT ◾ is part of Carnegie Mellon’s Software Engineering Institute dedicated to studying
Internet security vulnerabilities and researching long-term changes in network systems.
CERT has developed many training programs for organizations to improve security. Started
in 1998 at the request of DARPA (the Defense Advanced Research Projects Agency), CERT
is dedicated to developing and promoting the use of appropriate technology and systems
TAF-K11348-10-0301-C014.indd 288TAF-K11348-10-0301-C014.indd 288 8/18/10 3:12:57 PM8/18/10 3:12:57 PM
Security Awareness Training ◾ 289
management practices to resist attacks on networked systems, to limit damage, and to ensure
continuity of critical services.
ese are a few of the resources available for continuous learning for those who consider them-
selves security professionals. is is not meant to be an all inclusive list; many other organizations
are available in education, government, private business, and nonprofi t sectors that will benefi t
anyone trying to keep abreast of the security fi eld. e important thing is to have a plan for per-
sonal development that lasts throughout your career.
Awareness Training Challenges
e user’s going to pick dancing pigs over security every time.
Bruce Schneier
Good security training should begin at and remain throughout a person’s employment. From the
fi rst day of orientation until the last day on a job, an employee is part of organizational security
with responsibilities and requirements. From hiring, job description, orientation, and training
program to promotion and career, an employee is part of your organizational culture and how you
do things. It’s important from the start to link security into the very organizational DNA of group
identity and organizational values.
Creating security training and awareness programs throughout an employee’s life cycle is inte-
gral to establishing security as a competitive advantage. Here are a few of the challenges that must
be considered in that undertaking.
Cultural security blinders that prevent the adoption of best practices (mental models in ◾
place prevent seeing new options)
A piecemeal security training and awareness approach instead of a systemic approach ◾
Nonalignment of security training with enterprise core values ◾
No clear understanding of the barriers or resistance to security principles in employee ◾
groups
Boring security training ◾
Irrelevant content to the audience ◾
Training not memorable ◾
Too many security topics covered, can’t be absorbed by the audience ◾
Training not applied to the workplace ◾
Too time consuming for the employees ◾
Not enough depth ◾
Costs too high ◾
Not eff ective at changing behavior ◾
Security training not integrated into the extended enterprise’s learning management ◾
system(s)
Too many competing enterprise initiatives ◾
Security training and awareness should not be aimed at a one-time event. Any security and
awareness training should be part of a holistic approach to creating a security-committed culture.
Martin Smith, chairman and founder of the Security Company, puts it this way, “You need to
TAF-K11348-10-0301-C014.indd 289TAF-K11348-10-0301-C014.indd 289 8/18/10 3:12:57 PM8/18/10 3:12:57 PM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.