Tag Archives: information security training

Security and Policing Event 2016

s and p 2016This Home Office event will soon be upon us (March 8-10) and we just wanted to let you know you will be able to find us on stand Z20 in the Cyber Zone. You can find details of this event here.

Mike Gillespie will also be presenting in the Cyber

Mike Gillespie_headshot

Advent IM,  Managing Director, Mike Gillespie

Briefing Zone on the 9th on the subject of the cyber security of  Industrial Control Systems.

Come along and meet Mike and Gareth and enjoy some great presentations, content, updates and a bit of a chat.

How to get all over your security training – like a pigeon on a chip.

We recently read Joe Ferrara’s excellent article found on CSOonline.com:  ‘Ten Commandments for effective security training’, and as security consultants who provide training, it got us thinking.

So, diving into our pool of expert resource here are some handy hints and tips which you can use in addition to Mr Ferrara’s observations (which you can read if you click here and it will open in a new window).

Always conduct a Risk Assessment and gear your training toward contributing to the mitigation of the identified top risks.

  1. Security training and awareness is just another security control.  Fact.  So make sure all your security controls, including training, contribute to the mitigation of your security risks.  This means that just turning up and telling people to lock their computers, put stuff away at night and report breaches is not good enough.  Do a risk assessment followed by a training needs analysis so you can be sure the right messages are getting to the right people.  So if spam, unauthorised third party access, burglary or whatever are your top risks make sure your training contributes to mitgating these.
  2. ‘S’ is for security, strategy (and sausages).  Your security training strategy can be (and probably should be) as simple as four columns: who (needs training), what (do they need to know), when (do we do it) and how (classroom, online, during team meetings)?  Sausages are optional and because your strategy will cater for everyone you will need some meat-free ones.
  3. Monty Python – delivering Spanish Inquisiton – style security promotion. OK, not really.

    No one expects the Spanish Inquisition.  But everyone expects the Information Security Manager to promote security awareness.  So why not get IT, estates management, HR, reception and anyone else who is responsible for delivering security controls in your organisation to help out with planning and delivery.  It will keep your training varied, get your colleagues involved and ‘on message’, take the weight off your shoulders and keep your powder dry for another time.

  4. Big bangs are for fireworks night only.  Under sell and over achieve.  As Mr Ferrara points out, information security is an iterative and continuous process so go easy on the dry ice and audio visuals to begin with.  On this point, don’t ignore the value of ‘watercooler moments’ (management speak for those daily discussions we have).  Reinforcing and reminding good practice one a one-to-one basis is just as valid and effective as a presentation to the Board.
  5. Don’t forget your 3rd parties.  Suppliers, contractors and customers may have access to your information assets, so make sure you include them in your security training strategy.
  6. Get feedback.  Make sure you have a clear method for understanding the effectiveness of your security training BEFORE you deliver it, whether that is a survey, ‘happy sheet’, group discussion or whatever. Someone will be monitoring the effectiveness of some of your other security controls (e.g. the Firewall) so do the same for your training – it is just as important.
  7. Get buy-in.  Before you start make sure management are on board.
  8.  Is security training ‘on pain of death’?  Our energies should be focused on making

    “As you didn’t turn up for security training, I now have to smash up your laptop. You were warned.”

    the training a fantastic experience that people want to engage with, rather than expending time and effort brandishing a big stick to non-attendees.

Thank you to Mark Goddard, one of our expert consultants.

Security training needs to be seen as it truly is, an enabler for business.

Advent IM can help with training or out-sourced security management. www.advent-im.co.uk