The security landscape is constantly changing. It’s a field that requires a dedication to learning Training and Awareness. Practices and technologies that were acceptable 20 years ago are now considered insecure. File formats once thought safe have been exploited. Encryption technologies relied upon for wireless communication or secure web transactions have been found to have weaknesses. Issues have even been found in hardware, from Trusted Platform Module (TPM) chips to CPUs, with some issues, such as the Spectre and Meltdown flaws, existing for more than a decade before discovery. A security professional must stay on top of emerging threats to be effective. This creates two important areas all companies should address.
- Security training: Teaching people to perform their roles securely
- Security awareness training: Educating people about security issues
On the surface, these sound similar; however, they have distinct objectives. For instance, we’ve discussed aspects of account management and the account management lifecycle. Teaching help-desk employees the processes of secure account creation and password distribution falls into the realm of security training. Employees have job responsibilities, and ensuring their tasks are performed in accordance with established guide- lines and best practices falls under security training.
Additionally, emerging threats may pose a risk to the company. Educating employees regarding common attacks, such as phishing attacks and business email compromise, can raise awareness regarding attack methods and educate employees regarding how they can adjust their practices to reduce the risk. Teaching employees the benefits of passphrases over passwords, for instance, can reduce the likelihood of success of password-guessing attacks against your network. Thus, security awareness training that covers each of these items and tracking both its effectiveness and uptake by staff are important parts of security management. In fact, security awareness KPIs are included in NIST SP 800-55, “Performance Measurement Guide for Information Security.”
Training activities should be tracked and audited. Identify the security training and security awareness training needed. Ensure that all employees undergo the necessary training.
Determine when periodic refresher training may be needed for job tasks. Identify trends that may indicate areas that training can address. Additionally, as the security landscape changes, develop training for employees that raises awareness of threats, bad practices, and behaviors that may increase risk to the organization, such as password sharing. As training is delivered, identify employees who did and did not attend, and offer opportunities to attend an additional session, review a recording of the presentation, or participate in other similar alternatives so that all staff are adequately informed and aware of threats and best practices in mitigating the threats. Many industry regulations, such as PCI-DSS, require training. Therefore, performing training, tracking attendance, and auditing compliance with training are important.
