In many ways, security awareness training exemplifies the way information security is seen and tackled by senior management.
A once-a-year, classroom-based approach may be traditional, with security updates and warnings posted on walls and the Intranet, but it is also a sign of a tick-box, compliance-driven approach to security. It is often done to appease industry regulators, PCI and data protection authorities, and the training can offer relatively basic – arguably condescending- advice.
But times are changing. The threat landscape is growing with the arrival of millions of mobiles and wearables, each with their own IP address, while organized crime and nation-state APT groups are looking at new ways of compromising victims. From exploit kits and Trojans to ransomware, phishing and social engineering scams – the criminal game has moved on.
The information security industry has recognized this, calling for an end to prevention-focused defenses, and more focus on response. But surely that means that security training must change in turn?
Still a low priority
There’s a debate to be had on how seriously Chief Information Security Officers (CISO) or Chief Security Officers (CSO) are taking security training – and how well they’re doing it.
One study, commissioned by ClubCISO last year, found that 21 percent of CISOs had ‘never’ given security training, with a further 21 percent indicating that they only did so when new staff joined the company. Thirty-seven percent said they carried out training on an annual basis and another 21 percent agreed that this was carried out “frequently”.
More than half (52 percent) of the surveyed CISOs admitted that their security awareness training programs had ‘no measure of effectiveness', while 24 percent said that they relied on online testing. A further 14 percent said they had an after-training test, with a well-prepared 10 percent measuring incident and support call volumes before and after training.
Pete Wood, CEO of infosec consultancy First Base Technologies, says training programs have to change, top-down.
“Business are finally understanding they need to make staff part of the defensive posture, rather than just throwing money at product. Historically, it’s been something that staff members have to attend, that they hate doing, and almost do with the same mind-set as health and safety training. This is not really a 21st century solution.”
Stu Sjouwerman, CEO of security awareness training provider KnowBe4 – Kevin Mitnick’s company, agrees that this “old-school, compliance check-box” training, usually done over PowerPoint, is fading out.
“That’s not hacking it anymore, because two days later everyone has forgotten everything.”
Board buy-in is a must
It is clear that establishing a positive training program must start with board backing.
Sign up for CIO Asia eNewsletters.