Freedom through Security Training

No alt text provided for this image

SECURITY AND AWARENESS TRAINING; A PRIMER

Introduction

The Ponemon/IBM Data Breach Study of 2019 notes that  human error is the root cause of 24% of all data breaches.  Further, as the report notes, lax employee behavior often contributes to malicious criminal activity. This can mean that up to 75% of data breaches can be mitigated by better security awareness and training efforts. This staggering number clearly points to the need for all employees to exercise better data hygiene.

As security experts for over 15 years, Techumen has witnessed that people in?uence security more than technology or policy, and that cyber-criminals know how to exploit human behavior. Security and risk management leaders, therefore, must invest in tools and training efforts that increase awareness and in?uence employee behavior.

If better security and awareness training was available through the entire organization, the number of breaches and associated damage will be dramatically lessened. Inevitably, there must be different approaches for security and awareness training since  everyone in an entity can benefit. This vision should  not be limited to any specific employee groups such as front-line or back-office workers. Instead, everyone in the organization, even including IT experts generally thought to be fully aware of risks, must be security aware for the roles they perform and therefore trained appropriately.

What exactly is Security and Awareness Training?

The term “security and  awareness training ” is commonly used to refer to a broad range of education, communication, and behavior management activities and learning outcomes. These activities and outcomes include:

·       Complying with regulations, procedures and policies

·       Supporting disciplinary actions

·       Increasing employees’ knowledge and competency concerning threats, risks and security options

·       Changing and maintaining employees’ security behavior and building a more security-aware culture

The approaches for security and training can include:

·       Direct behavioral conditioning — such as anti-phishing projects

·       Specific programs to reduce developer error , for example through secure coding training efforts and purchase of tools to identify risks prior to new system deployment

·       Breaking down of IT silos through better coordination and training activities. For example, the Program Management , IT operations, Software Development and Information security functions must work in tandem to identify security weaknesses in proposed systems before work begins. This is often a major weakness in most organizations and can be easily rectified through training.

·       Understanding that  emerging data-intensive initiatives such as “data analytics”  require careful inter-team coordination and specific training for  end-user responsibilities.

·       Internal marketing campaigns involving posters, competitions and advertising style messaging.

Conclusion

Solutions with different objectives for security education all share the goal of supporting enterprise requirements for the management of security risks. Security education can ful?ll multiple objectives and requirements. However, training and awareness must:

?        Provide the right content for the right people ? Identify target audience for security training . This means mapping out the core body of knowledge to identify the appropriate level of training

?        support role- and performance-based security needs  including technical training,  management training  and community outreach

?        Deliver knowledge- and skill-based training by personnel who are both qualified security professionals and experienced trainers.

At Techumen, we are both skilled at security and in training delivery using various formats and targeting multiple different employee groups. Training courses, exercises and tests will all depend on the type of training required. There is no one-size-fits-all approach for security training. Instead, a comprehensive “security training” plan must be developed and tailored for each organization.




Terry Ziemniak

Fractional Cybersecurity Executive (CISO) with experience in healthcare, AI, IT services, start-ups, and more.

5 年

Coordinated and integrates security training. Great concept.

回复

要查看或添加评论,请登录

Feisal Nanji的更多文章

  • 3rd Quarter Results -- Stock MArket

    3rd Quarter Results -- Stock MArket

    We move into fall in two days. So, this is an appropriate time for a Q3 review of the market.

  • Nvidia - Hell's Kitchen?

    Nvidia - Hell's Kitchen?

    Don't fret! if you own Nvidia stock, you will not jump out of the frying pan into a fiery crash. Nvidia is not a flash…

  • The Best Wine and the Best Security

    The Best Wine and the Best Security

    When I was young I used WordPerfect and Lotus123 . Amazing stuff! I could easily build financial models, or write tomes…

  • The World is Going Nuts: Financial Forecast 2024

    The World is Going Nuts: Financial Forecast 2024

    The year 2023 is on track to be as eventful as 1995, and this means it’s a really, big, big deal. To explain.

    4 条评论
  • Why DevSecOps and not just DevOps?

    Why DevSecOps and not just DevOps?

    Amazon Web Services, a premier proponent and purveyor of DevOps services defines DevOps as: “The combination of…

  • RE-IMAGINING HEALTH CARE SECURITY: LESSONS FROM THE FIELD

    RE-IMAGINING HEALTH CARE SECURITY: LESSONS FROM THE FIELD

    At Techumen we recognize that health care providers have highly complex clinical and business processes. In turn, these…

    2 条评论
  • Efficiently Gauging 3rd Party Security Risks in Health Care

    Efficiently Gauging 3rd Party Security Risks in Health Care

    OBJECTIVE A major challenge for any health provider of significant size is to understand and manage the security risk…

    3 条评论
  • MEDICINE 2.0 – News from the future and understanding security’s role

    MEDICINE 2.0 – News from the future and understanding security’s role

    The first CRISPR babies have arrived in China. This event portends for vast new dabbling in genetic engineering.

    1 条评论
  • HITRUST -- You've come a long way baby...

    HITRUST -- You've come a long way baby...

    I first took the HITRUST Assessor course in 2009 and was disappointed. Roughly, the aim of HITRUST then, as it is now…

    3 条评论
  • Security and Digital Transformation

    Security and Digital Transformation

    The move to the cloud, to the internet of things, and the full embrace of deep learning (AI) is resulting in a massive…

社区洞察

其他会员也浏览了