Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Of Black Hat and security awareness

Mathias Thurman | Sept. 3, 2015
The annual security conference was a chance to go deep. But back in the office, how do you get 100% of the company’s employees to complete the security awareness training?

black hat 2015 arrival
Attendees arriving at the Black Hat 2015 cybersecurity conference in Las Vegas. Credit: Steve Marcus, Reuters

In the past few weeks, I was able to go deep into security issues (this was during my yearly pilgrimage to the Black Hat security conference in Las Vegas), and then concentrate on the basics (by getting our employees to fulfill our security awareness requirements). Both were highly satisfying.

Black Hat came first. If you’re able to attend just a couple of conferences per year, I highly recommend RSA and Black Hat to all security professionals, regardless of level. They’re conveniently spaced about six months apart, making it easier to get your boss’s approval.

Trouble Ticket

At Issue: Security awareness training has to be completed by all employees in order for the company to be PCI-compliant.

Action Plan: Use a carrot, not a stick, and then sic HR on the last non-complying employees.

Black Hat is a combination of in-depth, mostly hands-on training and briefings that tend to be presentations on various security topics, typically with a focus on security weaknesses. I am interested in briefings in which the presenters demonstrate a successful hack or compromise of something very interesting or familiar. This year’s quintessential Black Hat presentation demonstrated the ability to remotely control connected-car functions. It’s the sort of thing that really sets Black Hat apart.

Of course, Black Hat also has the obligatory expo floor, and I enjoyed the opportunity to obtain demos from technology vendors that I currently use or am considering. It’s much easier to ask pressing questions in a venue like this than to schedule individual meetings and then sit through a bunch of marketing slides before getting to the real substance. One stop on the floor was at Palo Alto Networks. We’ve recently deployed that company’s advanced firewall, and I had some questions about the new interface in the latest version. Also, I’m currently in the market for a new SIEM tool, and there were plenty of vendors to meet with. I was able to knock out four in-depth product demos in less than three hours! And of course, Black Hat wouldn’t be much fun without some cool parties and networking events, and what better place for that sort of thing than Las Vegas?

Prior to departing for Black Hat, I had set up our yearly security awareness training for employees and contractors. We purchased subscriptions to two of the SANS Institute’s Secure the Human training programs, one for end users and one for developers. I like these SANS programs. They’re easy to deploy; they do a good job of keeping track of the users who have completed the training; the material is of a high quality, with both breadth and depth of security information; and the material is frequently updated, which is important given the fast pace of change in security and technology. I also like the brevity of the training, which is more about substance than storytelling, so our employees can cover more ground in less time.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.