After several phone conversations with Eric Ogren of the Ogren Group over the past few years, I finally had the pleasure of meeting him in person at the RSA Conference last week. We exchanged a few war stories about the frozen north and how much we were enjoying the great weather in San Francisco during the conference. Eric had just written this blog post about security training which I hadn't seen. So just in case anyone else missed it, I thought I'd share with you here:
It is no secret that many CSOs acknowledge the inevitability of attacks penetrating security defenses. You are all challenged with enabling the user community to participate in security and to make healthy security decisions on their own. The continuous training of end-users on the latest security issues should be a fundamental element of every security strategy to ward off security incidents.
According to Wombat Security, 48% of organizations report difficulty in funding security training programs and 44% report difficulty encouraging employees to take security seriously. This is an unacceptable position in these days of mobile and cloud computing that places so much of the business beyond the protective reach of your IT and security teams.
Perhaps it is time for organizations to re-think their approach to security training. It is not a matter of sitting through an annual seminar lecture, or being forced to read policy documents and sign security pledges. CSOs love activating business users for a healthy business - integrating security training with employee education is consistent with that mission. With that in mind, here are three thoughts that may help you with a security training program.
1. Work with applications teams and human resources to embed security awareness into the business. Users are just not into security training for security's sake. For instance, you could allow cloud-based application training to include a few modules on mobile security. Users learn how to do their business better and improve their security awareness too!