Join Mike Chapple for an in-depth discussion in this video Security education, part of CompTIA Security+ (SY0-501) Cert Prep: 3 Architecture and Design.
- [Narrator] Security depends upon the behavior of individuals. An intentional or accidental misstep by a single user can completely undermine many security controls exposing an organization to unacceptable levels of risk. Security training programs help protect organizations against these risks. Security education programs include two important components. Security training provides users with the detailed information that they need to protect the organization's security.
These may use a variety of delivery techniques but the bottom-line goal is to impart knowledge. Security training takes time and attention from students. Security awareness is meant to remind employees about the security lessons that they've already learned. Unlike security training, awareness doesn't require a commitment of time to sit down and learn new material. Instead, awareness efforts use posters, videos, email messages and similar techniques to keep security top of mind for those who've already learned the core lessons.
Organizations may use a variety of different methods to deliver security training. This may include traditional classroom instruction, providing dedicated information security course material. Or it might insert security content into existing programs such as a new employee orientation program delivered by human resources. Students might also use online training providers to learn about information security or attend classes offered by vendors. Whatever methods an organization uses, the goal is the same, to impart security knowledge that employees can put into practice on the job.
Let's take a look at a couple of examples of security training and awareness methods. The SANS Institute Securing the Human program provides online training in a number of different languages covering a wide range of security topics. Organizations can add their own customized introduction and then depend upon the program to provide current, updated security training, organized into many different modules covering different components of information security and compliance. Managers can pick and choose from these modules to design a training program that makes the most sense for their organization's security and regulatory environment, customizing the training that each user receives.
Let's take a look at another provider, PhishMe.com. Here you'll find an interesting twist on security awareness. Instead of simply providing security training, PhishMe allows you to measure the success of your training efforts by actually conducting simulated phishing attacks. Users receive fake phishing messages in their inboxes and if they respond, they're directed to security training materials that warn them of the dangers of phishing and help prevent them from falling victim to a real attack. Back-end reporting helps security professionals gauge the effectiveness of their security education efforts by measuring the percentage of users who fall victim to the simulated attack.
Those are just two examples of security education providers. There are many more out there that can help you quickly build an effective security training and awareness program. While all users should receive some degree of security education, organizations should also customize training to meet specific role-based requirements. For example, employees handling credit card information should receive training on PCI DSS requirements. Human resources team members should be trained on handling Personally Identifiable Information, or PII.
IT staff need specialized skills to implement security controls. Security training should be custom-tailored to an individual's role in the organization. You'll also want to think about the frequency of your training efforts. You need to balance the time required to conduct training with the benefit gained by reminding users of their security responsibilities. One approach used by many organizations is to conduct initial training whenever an employee joins the organization or assumes new job responsibilities and then use annual refresher training to cover the same material and update users on new threats and controls.
Awareness efforts throughout the year then keep this material fresh and top of mind. One last note on security education programs, the team responsible for providing security training should review materials on a regular basis to ensure that the content remains relevant. Changes in the security landscape and the organization's business may require updating security training materials to keep them fresh and relevant.
Instructor Mike Chapple has designed the training around the most recent version of CompTIA Security+, SY0-501, which expands coverage of mobile and cloud technologies. By learning about the topics in this course, you'll be prepared to answer questions from the latest exam—and strengthen your own organization's systems and defenses. To join one of Mike's free study groups, visit certmike.com.
- Developing security baselines
- Leveraging standards
- Delivering and measuring user training
- Designing a secure network
- Designing secure systems, from the OS to peripherals
- Secure staging and deployment
- Securing smart devices and embedded systems
- Developing secure software
- Cloud computing and virtualization
- Securing hardware, facilities, data centers, and other physical risks