The session, titled “Geek Speak to Geek Sleek – Creating a Digestible End-user Training Program”, advised security professionals on how to translate technical education and regulatory requirements into a more palatable program that can actually educate rather than confuse or alienate enterprise end-users of IT services. Given that many organizations employ a dry, bare-bones approach to education that meets minimum standards, it’s a problem that both IT security professionals, and their end-users, know all to well.
The first lesson of effective end-user security training? “Keep it in language they can understand”, said Julie Peeler, director of the (ISC)² Foundation and one of the three panelists. IT security professionals, she added, bring with them a vast amount of technical knowledge they often would love to share with end-users within their organization. “But we have to be able to understand where they are coming from...you need to know your audience.”
The biggest mistake planners make is immediately diving right into their baseline objective, “usually for some regulatory or compliance reason”, Peeler noted. Those responsible for training must develop programs with a variety of learning mediums to accommodate the various methods through which people absorb information.
Peeler provided seven points to consider for developing an effective end-user security program, what she called a “Knowledge Checklist”:
- Know your audience
- Know learning theory
- Know your corporate culture (i.e., what is driving compliance or a lack of compliance among employees)
- Know your key influencers
- Know your internal communications mechanisms
- Know the lessons to be learned
- Know the measurement mechanisms to assess your program’s effectiveness
Peeler says one of the first steps you must take when developing a security education program is to survey the organization’s management. “Are they behind it? Do they understand it? Have a conversation with them to understand what the main issues are in their department, and the skill levels. This will help you understand what kind of training you need to put together.”
Fellow panelist James McQuiggan, program manager for Siemens USA Energy Security, agreed with Peeler’s recommendations. Education programs, he added, must consider the functional role their potential audience serves within the organization, and tailor programs based on their specific needs.
Revising your program at least once every six to 12 months, to keep it up-to-date, is another recommendation Peeler imparted. She also said to avoid training events or programs that are a single point in time, and instead advocated “a year-long program that has a lifecycle to it”.
Once yearly security education programs “are a joke” according to Hord Tipton, executive director of (ISC)². He told Infosecurity that “it’s a matter of continuous education” and that once yearly education schemes have no lasting effect. “You must build in things to supplement your annual training”, Tipton continued – strategies including poster reminders, reminders on a device’s boot up screen, and reminders on a screen saver, just to name a few. “You must supplement [your program] with a number of techniques” that go beyond the mandatory baseline requirements, he said.
“You have to make your users understand that cybersecurity is important, you have to do it in their language, and you have to do it in a way that does not unrealistically scare them”, Tipton pointed out. This means expressing concepts in practical terms that end-users can understand – “explain the risks in clear language” – and underscore the impacts to the organization, such as the potential damage to revenues and reputation.
“Small pieces over time”, concurred Marc Noble, the third and final panelist during the session. The director of government affairs for (ISC)² and former CISO at the US Federal Communications Commission (FCC) said this approach is far more effective than hourly security training once a year. “If you are running a security program, you have to look at many ways of getting your message out there – and it’s not one way, and it’s not one hour. It’s five minutes here, five minutes there, and five minutes someplace else.”