Training, Awareness, & Education - Cornerstones to Security Success

No matter the organization, industry, or individual, every security professional we talk to says key ingredients to a successful enterprise security program are training, awareness, and education. A company can have the best tools in the world, the most detailed policies, but if people aren’t using the tools correctly, not following process or skirting process when (they feel) necessary, or are simply able to bypass what’s in place, the security of your data and systems will always be sub-optimal.

At our most recent Forum in Dallas, a few of the Steering Committee members, including Steering Chairs James Beeson (GE), Chad Renfro (Bank of America), and Richard Dorough (Textron), shared their most effective strategies from their own security training and awareness programs.

“Make it personal,” said one CISO. Asking people to attend a meeting about using company assets securely generally yields very poor results, he said, but when he invites employees to a brown bag lunch presentation on “Keeping the Internet Safe for your Children,” the meeting is standing room only!

“It’s the same message,” he noted, “just couched in more personal terms.”  As soon as anyone starts talking “company,” people lose interest, yet everyone wants to know how to keep their personal information – bank and credit card information, online transactions, contact info – safe from those with bad intentions. Especially in light of all the media coverage surrounding breachesd at household name institutions like Citibank and Sony, peoples’ awareness is heightened. “When my 70 year old aunt asks me about ‘this APT stuff,’ you know it’s become bad,” commented IANS SVP of Research Chris Silva.

“Make it a challenge,” suggested another Steering member. This CISO holds monthly contests that are really security training programs. “Holding a formal training class and taking time out of employees’ days is not only ineffective,” he said, “but it also costs the company money. I can use that same money to buy something our employees all want, like a new iPad or tickets to a professional sports game, and people will automatically want to be involved.”

But it’s not all fun and games. The point of this exercise is to have employees read through security materials and look for a hidden code or security phrase that they can then submit to win that month’s prize. His team spends a lot of time making sure the answer isn’t obvious and that completion of the reading is required in order for entry. Because of these contests, this CISO reports much greater interest in security from the organization as a whole and, even more importantly, decreased unintentional data loss.

These are just a few examples of what has worked for some IANS clients. We’d love to hear what works or what has failed miserably at your organization, so please comment on this post with your own stories. If you are an IANS client, contact your account manager who can put you in touch with other security leaders who are grappling with the training, awareness, and education question. With enough requests, IANS will organize a virtual Symposium for our clients.

IANS is continually receiving Ask an Expert queries on the topic, so the more information we can share as an industry, the more secure we’ll all be.