Join Mike Chapple for an in-depth discussion in this video Security education, part of CompTIA Security+ (SY0-501) Cert Prep: 5 Risk Management.
- [Instructor] Security depends upon the behavior of individuals. An intentional or accidental misstep by a single user can completely undermine many security controls, exposing an organization to unacceptable levels of risk. Security training programs help protect organizations against these risks. Security education programs include two important components. Security training provides users with the detailed information that they need to protect the organization's security.
These may use a variety of delivery techniques, but the bottom-line goal is to impart knowledge. Security training takes time and attention from students. Security awareness is meant to remind employees about the security lessons that they have already learned. Unlike security training, awareness doesn't require a commitment of time to sit down and learn new material. Instead awareness efforts use posters, videos, email messages and similar techniques to keep security top of mind for those who've already learned the core lessons.
Organizations may use a variety of different methods to deliver security training. This may include traditional classroom instruction, providing dedicated information security course material, or it might insert security content into existing programs, such as a new employee orientation program delivered by human resources. Students might also use online training providers to learn about information security, or attend classes offered by vendors. Whatever methods an organization uses, the goal is the same, to impart security knowledge that employees can put into practice on the job.
Let's take a look at a couple of examples of security training and awareness methods. The SANS Institute Securing the Human program provides online training in a number of different languages, covering a wide range of security topics. Organizations can add their own customized introduction and then depend upon the program to provide current updated security training organized into many different modules covering different components of information, security, and compliance. Managers can pick and choose from these modules to design a training program that makes the most sense for their organization's security and regulatory environment, customizing the training that each user receives.
Let's take a look at another provider, PhishMe.com. Here we will find an interesting twist on security awareness. Instead of simply providing security training, PhishMe allows you to measure the success of your training efforts by actually conducting simulated phishing attacks. Users receive fake phishing messages in their inboxes, and if they respond, they're directed to security training materials that warn them of the dangers of phishing and help prevent them from falling victim to a real attack. Backend reporting helps security professionals gauge the effectiveness of their security education efforts by measuring the percentage of users who fall victim to the simulated attack.
Those are just two examples of security education providers. There are many more out there that can help you quickly build an effective security training and awareness program. While all users should receive some degree of security education, organizations should also customize training to meet specific role-based requirements. For example, employees handling credit card information should receive training on PCI DSS requirements. Human resources team members should be trained on handling personally identifiable information or PII.
IT staff need specialized skills to implement security controls. Security training should be custom-tailored to an individual's role in the organization. Common examples of role-based security training include creating training specifically for data and system owners, system administrators and other privileged users, normal users, and executives. You'll also want to think about the frequency of your training efforts. You need to balance the time required to conduct training with the benefit gained by reminding users of their security responsibilities.
One approach used by many organizations is to conduct initial training whenever an employee joins the organization or assumes new job responsibilities, and then use annual refresher training to cover the same material and update users on new threats and controls. Awareness efforts throughout the year then keep this material fresh and top of mind. One last note on security education programs. The team responsible for providing security training should review materials on a regular basis to ensure that the content remains relevant.
Changes in the security landscape and the organization's business may require updating security training materials to keep them fresh and relevant. Remember, security training is not just a one-time process. Organizations should run continuing education programs that periodically remind employees of their security responsibilities and update them on new security developments.
- Security controls and policies
- Risk assessment and management
- Managing vendor relationships
- Social network security
- Security in the hiring process
- Measuring security education
- Business continuity planning and controls
- Preparing for incident response
- Network and software forensics
- Data security policies and roles
- Privacy assessments