Sysadmins: Your great power brings the chance to RUIN security
Risk management chap explains how to stop users dozing when you talk infosec
Risk management bod Kris French Junior has offered 10 tips to help security teams bin their boring, technical, and uniformed education schemes
The Hyland Software education aficionado takes aim at what he sees as pervasive checkbox compliance-driven and complicated training programs that lack the excitement and pizazz of crowd-pleasing security talks.
French (@turtl3up) illustrates one example of a poor program pointing out that a large text-heavy Payment Card Industry Data Security Standard document sent to employees to sign "reeks of someone who doesn't care"
"We have a hundred people doing malware analysis, we have a thousand people doing network traffic analysis, but very few people working on this problem," French says.
"The number one problem is that you don't care enough but you expect your users to.
"If you have a document that is designed to keep your bosses off your boss … the users get through the quizzes and you use that as your compliance metrics, then that shows you don't care enough."
French says executive buy-in is essential in order to expand programs beyond those already interested: "grass can only reach a certain height," he says.
Users' heads hitting desks in bafflement in 3 ... 2 ...
Security bods should talk to business managers about money and litigation in the context of avoiding a breach, and learn to create reports through Microsoft Excel.
"Managers love charts. And if that doesn't work you can fall back to Gartner."
Education schemes should be well planned in advance so that managers know how much resources it will consume.
The programs should also be written in a language or minimum standard that users can understand. French has created simplified slides for his sales teams to help them better visualise the security controls they use such as encryption versus hashing.
It should also avoid off-the-shelf computer-based training software that distributes the same education regardless of roles. Receptionists should for instance be given a copy of Kevin Mitnick's The Art of Deception for easy consumption of social engineering training, French says.
Infosec professionals need to hone public speaking skills, best done by presenting short talks at the many information security community gatherings.
Other big name organisations have offered security training tips. Last year Etsy security boss Rick Smith says security teams can get developers caring about infosec with lures of beer and candy. Twitter's then security man Dan Tentler described that company's internal phishing training initiative in which infosec bods regularly phished their own employees, making the lures more difficult to spot as staff became more savvy.
French's 10 reasons why your security training programs aren't working:
- You don't care enough, but you expect your users to.
- Your managers don't care enough.
- You don't speak their language.
- You're a terrible speaker.
- Your slides are ridiculous.
- You rely on computer-based training.
- Your content isn't reliable.
- You don't test and repeat.
- You treat it too much like work.
- You don't convey the cool.