We recently read Joe Ferrara’s excellent article found on CSOonline.com: ‘Ten Commandments for effective security training’, and as security consultants who provide training, it got us thinking.
So, diving into our pool of expert resource here are some handy hints and tips which you can use in addition to Mr Ferrara’s observations (which you can read if you click here and it will open in a new window).
Always conduct a Risk Assessment and gear your training toward contributing to the mitigation of the identified top risks.
Security training and awareness is just another security control. Fact. So make sure all your security controls, including training, contribute to the mitigation of your security risks. This means that just turning up and telling people to lock their computers, put stuff away at night and report breaches is not good enough. Do a risk assessment followed by a training needs analysis so you can be sure the right messages are getting to the right people. So if spam, unauthorised third party access, burglary or whatever are your top risks make sure your training contributes to mitgating these.
‘S’ is for security, strategy (and sausages). Your security training strategy can be (and probably should be) as simple as four columns: who (needs training), what (do they need to know), when (do we do it) and how (classroom, online, during team meetings)? Sausages are optional and because your strategy will cater for everyone you will need some meat-free ones.
No one expects the Spanish Inquisition. But everyone expects the Information Security Manager to promote security awareness. So why not get IT, estates management, HR, reception and anyone else who is responsible for delivering security controls in your organisation to help out with planning and delivery. It will keep your training varied, get your colleagues involved and ‘on message’, take the weight off your shoulders and keep your powder dry for another time.
Big bangs are for fireworks night only. Under sell and over achieve. As Mr Ferrara points out, information security is an iterative and continuous process so go easy on the dry ice and audio visuals to begin with. On this point, don’t ignore the value of ‘watercooler moments’ (management speak for those daily discussions we have). Reinforcing and reminding good practice one a one-to-one basis is just as valid and effective as a presentation to the Board.
Don’t forget your 3rd parties. Suppliers, contractors and customers may have access to your information assets, so make sure you include them in your security training strategy.
Get feedback. Make sure you have a clear method for understanding the effectiveness of your security training BEFORE you deliver it, whether that is a survey, ‘happy sheet’, group discussion or whatever. Someone will be monitoring the effectiveness of some of your other security controls (e.g. the Firewall) so do the same for your training – it is just as important.
Get buy-in. Before you start make sure management are on board.
Is security training ‘on pain of death’? Our energies should be focused on making
“As you didn’t turn up for security training, I now have to smash up your laptop. You were warned.”
the training a fantastic experience that people want to engage with, rather than expending time and effort brandishing a big stick to non-attendees.
Thank you to Mark Goddard, one of our expert consultants.
Security training needs to be seen as it truly is, an enabler for business.