10 Things your security and training awareness program should cover
Independent Information and Cyber Security specialist Frank Martin talks about the importance of having a security and training awareness program.
One of the most important things when it comes to securing your business is ensuring that your people, partners and customers understand what security means to you. However, in order to be able to do this, you must first ensure that your own people know how important security is to the business. Due to legislation, compliance, governance, and contracts, no matter what your business type, security is a factor these days. Whether you are taking payments online, looking after personal details (be they financial, health or other matters) or you are manufacturing something and you want to keep the secret sauce recipe, just that, a secret, training your people in security awareness will pay back in spades.
Below I have highlighted 10 areas that any security and training awareness program should cover. I hope that you find this of benefit.
- Not everyone needs the same level of training
- Cover the basics
- Make sure the training is pertinent to your organisation
- Ensure that you cover the benefits of the program
- Identify the levels of training required, technical, process, legislation, contract etc.
- Ensure everyone understands what you are trying to achieve (e.g. maturity level)
- Use different methods of delivery
- Make sure you can measure the training effectiveness by using the right metrics
- Decide between internal and external training delivery
- Understand the maintenance of an on-going training program
1. Not everyone needs the same level of training
One of the most basic mistakes that most organisations make in their security and training awareness program is that everyone across their organisation is tarred with the same brush when it comes to training requirements. Whilst it is true that everyone should understand the basics (see next point) some elements of the business are going to need a much more in-depth understanding and training for the organisation to be secure. Even if you are outsourcing your security to a third party you are going to require people who have a fundamentally more detailed understanding of the various facets of security.
So in order to carry out any program of security awareness training a gap analysis should be carried out to establish what levels of security, covering what functional areas (technical, process, people, physical), and to what depth, for what groups is required. This will give you a clear context as to what numbers, need what training, in what area and allow you to more clearly establish the costs involved. This will also help you decide on two of the later points around delivery method and internal or external training.
2. Cover the basics
You must cover the basics to ensure you have a level playing field. You do not want to go in at too high a level, where you are going to lose people in the myriad of acronyms that are involved in this particular field. By basics, I am on about some of the terminology e.g. threats, vulnerability, risks, controls etc. as well as the reasoning behind why this should be done (more of this in the benefits section below).
It is a well-known fact that most people who get involved on the fringes of security believe it is too difficult or they cannot be bothered. Equally, many of us involved in this area from a day-to-day perspective live and breathe acronyms and terminology that make it sound like we are talking an alien language to the uninitiated. What is needed is a training and awareness program that talks in plain business language about the concepts of security (be that information security, cyber security or any other title that is flavour of the month at the moment) and how they affect the business (whatever your business may be) and how they are part of the program to reduce the businesses risk to these issues.
3. Make sure the training is pertinent to your organisation
Of course in order to get the message across you absolutely need to make the program about your business. It is no use taking a vanilla security and training awareness program and saying the business should use this. It does not make sense. The program would be flawed and the people partaking of the program would not understand the relevance to the business and therefore why it is needed. A good training and awareness program is wholly relevant to the business, how it operates, what its goals are with regards to security and the policies, legislation and compliance that the business may be bound to.
4. Ensure that you cover the benefits of the program
As with any training it is no use giving training for training’s sake. You have to be able to articulate the benefits of the training program.
Common things in this area are showing how the training will reduce the risk to the business, how the training will help protect the company’s intellectual property. A big one these days is the company’s reputation. Quite often it is difficult to put a cost on this for any business but get your trainees to think about these aspects and how the training is helping them to reduce these risks. The personnel being trained need to understand that they are a layer within the overall security controls and a very important one and the training will hopefully provide them with sufficient understanding in helping maintain the company’s security posture.
5. Identify the levels of training required, technical, process, legislation, contract etc.
The levels of training required are going to be different across different parts of the business. Whilst everyone might go through introductory training that covers the basics, some people in some parts of the business may require more specific training e.g. HR may require training in personal identifiable information concepts, legal may require training in contract elements of security, installation teams might need training around security handling requirements and so on.
Giving people awareness training is one thing but do you have the requisite processes in place to meet the security requirements. Are escalation, vulnerability, reporting and other processes in place to support the security program and associated training and awareness?
6. Ensure everyone understands what you are trying to achieve (e.g. maturity level)
Explaining the benefits is one thing but you should also ensure that your training audience understands what you are trying to achieve. Are you trying to get the business to a certain level of maturity (there are a number of security maturity models out there)? Are you trying to reach a level of compliance e.g. ISO/IEC27001? Are you trying to get the company/system through a certain assurance scheme e.g. CBEST What exactly is the need for the security and training awareness program, what are we trying to achieve? This does two things with your audience, i) it focuses the minds on what they need to know and why, ii) it gives them a common goal to achieve ensuring everyone is moving in the same direction and what you then find is that people have more of a tendency to help each other in obtaining this common goal.
7. Use different methods of delivery
Another thing that is quite often misunderstood in these training programs is the method of delivering the training and what works best. For example, it would not make sense to deliver all types and levels of training using the same method e.g. online delivery. You need to look at how many people need what type of training, how interactive the training needs to be, do they need any specialist equipment, are they going to be tested or examined at the end of the training, is the training being delivered by an internal or external team/person?
It should be understood for the more in-depth training that people also learn in different ways so the more options you have to be able to deliver the training possibly the better. Having said this, it all has to be balanced against the cost but they should at least be considered and discussed with the training team.
8. Make sure you can measure the training effectiveness by using the right metrics
Training like everything else can only be improved upon or be effective if it is measured. Due consideration should be given as to how you are going to measure your training and awareness program? Are you going to measure by examination/test? Are you going to measure by the reduction in the number of security incidents that are raised over time? This one could be problematic initially as after a training session as it is fresh in people minds you might find a corresponding jump in the number of incidents reported, which people might not have thought about or known before their training. Are you going to measure by the reduced number of non-conformances from an external audit going forward? However, you measure you need to have good metrics in order to be able to understand the impact that your training is having otherwise it will not be possible to justify the initial expenditure.
9. Decide between internal and external training delivery
There are many pros and cons in whether you should use an internal or external delivery for your training. As this training should be pertinent to the business it seems to make sense to use an internal team to deliver the training.
However, getting internal resource may be a problem in itself, so a good external company, who understand this area, perform a gap analysis and can break down the training into quantifiable areas, showing the benefits and being able to measure, in spite of its higher cost may be worth it.
This will be down to personal choice and your own facilities and capabilities. Training is a specialist area however, as is security, and trying to furnish this from within may prove to be a challenge. If you do use an external supplier do check their experience and knowledge of the subject areas that you need to cover.
10. Understand the maintenance of an ongoing training program
And finally, you have your program underway. The people are being trained; they are enjoying it and see the benefits. You are seeing an improving awareness across the business and a reduction in security incidents or non-conformances or whatever other measures you have decided upon. Now is the crunch time. You have to keep this going! Yes, unfortunately security does not stand still and also people forget things. So this training and awareness program needs to be an on-going event to maintain the benefits of starting the program in the first place. So you need to consider how you maintain this effort as you move forward? Can you just move to a lesser refresher program, what about new people who join the company, what if there are new threats that come out over the coming year, how can we keep people’s interest in this area and ensure they continue to do the right thing. These need to be part of your program in terms of your business case, your costs and your on-going maintenance.
If you have any questions or comments on the subjects raised in this article, contact us on 03333 207 555 or email firstname.lastname@example.org