How to get all over your security training – like a pigeon on a chip.

We recently read Joe Ferrara’s excellent article found on CSOonline.com:  ’Ten Commandments for effective security training’, and as security consultants who provide training, it got us thinking.

So, diving into our pool of expert resource here are some handy hints and tips which you can use in addition to Mr Ferrara’s observations (which you can read if you click here and it will open in a new window).

Always conduct a Risk Assessment and gear your training toward contributing to the mitigation of the identified top risks.

1. Security training and awareness is just another security control.  Fact.  So make sure all your security controls, including training, contribute to the mitigation of your security risks.  This means that just turning up and telling people to lock their computers, put stuff away at night and report breaches is not good enough.  Do a risk assessment followed by a training needs analysis so you can be sure the right messages are getting to the right people.  So if spam, unauthorised third party access, burglary or whatever are your top risks make sure your training contributes to mitgating these.
2. ‘S’ is for security, strategy (and sausages).  Your security training strategy can be (and probably should be) as simple as four columns: who (needs training), what (do they need to know), when (do we do it) and how (classroom, online, during team meetings)?  Sausages are optional and because your strategy will cater for everyone you will need some meat-free ones.
3. 

   Monty Python – delivering Spanish Inquisiton – style security promotion. OK, not really.

   No one expects the Spanish Inquisition.  But everyone expects the Information Security Manager to promote security awareness.  So why not get IT, estates management, HR, reception and anyone else who is responsible for delivering security controls in your organisation to help out with planning and delivery.  It will keep your training varied, get your colleagues involved and ‘on message’, take the weight off your shoulders and keep your powder dry for another time.

4. Big bangs are for fireworks night only.  Under sell and over achieve.  As Mr Ferrara points out, information security is an iterative and continuous process so go easy on the dry ice and audio visuals to begin with.  On this point, don’t ignore the value of ‘watercooler moments’ (management speak for those daily discussions we have).  Reinforcing and reminding good practice one a one-to-one basis is just as valid and effective as a presentation to the Board.
5. Don’t forget your 3rd parties.  Suppliers, contractors and customers may have access to your information assets, so make sure you include them in your security training strategy.
6. Get feedback.  Make sure you have a clear method for understanding the effectiveness of your security training BEFORE you deliver it, whether that is a survey, ‘happy sheet’, group discussion or whatever. Someone will be monitoring the effectiveness of some of your other security controls (e.g. the Firewall) so do the same for your training – it is just as important.
7. Get buy-in.  Before you start make sure management are on board.
8.  Is security training ‘on pain of death’?  Our energies should be focused on making
   

   “As you didn’t turn up for security training, I now have to smash up your laptop. You were warned.”

   the training a fantastic experience that people want to engage with, rather than expending time and effort brandishing a big stick to non-attendees.

Thank you to Mark Goddard, one of our expert consultants.

Security training needs to be seen as it truly is, an enabler for business.

Advent IM can help with training or out-sourced security management. www.advent-im.co.uk

Advent IM launches MySecurityManager

Advent IM Ltd – the UKs leading independent, holistic security consultancy, today announced the launch of their new outsourced security service; MySecurityManager.

Many businesses and organisations understand the need for robust security management. Given the amount of column inches, both in print and online, devoted to data security breaches alone; it isn’t difficult to appreciate the importance of good, well managed policy.  We know that part of the solution can come from the use of technology, but technology only works at its optimum level when it is part of a solid strategy, which in turn is part of an organisation’s culture.

The cost of creating or maintaining a full time Security Manager role within an organisation can be challenging. Often the expertise required to build, implement and educate-in good policy is not available to many SME’s.   But risk appetite is not generally commensurate with budget so what is an SME to do?

Advent IM Ltd has today introduced packaged solutions to suit most organisational security management needs. This selection of outsourced security packages, are a mixture of onsite presence, project management and email support. Because they are scalable and flexible, the service you buy will be appropriate to your organisation’s needs, therefore offering excellent value for a business where budget is not currently available to resource a full time Security Manager. Being a fixed price means that there are no nasty surprises or hidden costs.

The benefits of using such a service include; a pool of experts with many years’ experience – this level of expertise may normally be beyond budget; no need to recruit or train; no National Insurance; no sick pay; no holiday pay and many other important cost savings.

 Advent IM’s Managing Director,Mike Gillespie said,

            “Now every business can benefit from the huge amount of expertise that  our consultancy clients have long had access to and benefitted from.  Offering flexibility mixed with capability, MySecurityManager

is a must for any organisation that seeks an efficient and effective means  of closing that security knowledge gap”

Details of the service can be found on the Advent IM website http://www.advent-im.co.uk/mysecuritymanager.aspx or by contacting the team.