When dealing with marketing organizations, the key challenge for information security specialists is not communicating the benefits of new solutions, but changing the hearts and minds of staff.
Securing web applications is a modern IT department’s most important responsibility. There’s no shortage of solutions, cloud-based or otherwise, that address this problem. But for years, exasperated IT professionals have tried and failed to find a solution that is easy enough to use that marketers would finally adopt it en masse.
That day may come – but we are not there yet, and not even close. In 2015, more non-technologists will utilize web applications than in any prior year. And these non-technologists are not trained in version control, application vulnerability, penetration testing, or even the basics of a CSRF attack. They shouldn’t be – that’s not their job. They don’t have time. They barely have time to complete what is their job: updating micro-sites, email marketing campaigns, marketing automation triggers and drip email setup, cohort analysis, call-to-action assessment, funnel analysis, and much more.
Let’s try to get an understanding of the current ‘best practices’ in IT training. A recent study identified six best practices: offering IT trainees choice between different training methods, planned on-the-job training, using mixed methods within the same course (web-based and instructor led), just-in-time training, using outsourced training solutions – university partnerships and external IT training and content providers, and building courses with reusable components. These methods make sense intuitively when the training is being administered to IT pros, but how about other groups?
The best practices for training non-IT professionals are fundamentally different. Most begin with establishing a foundation, and rather than relying on tactics for better information dissemination or absorption, have an altogether different focus: make IT less intimidating, more approachable, and generally more understood. Learning core terminology and understanding how IT helps achieve corporate goals are two main objectives.
In many companies and organizations, the need for easy-to-use marketing technology has driven adoption of open source content management systems (CMS). Rather than waiting days or weeks for the needed approvals, campaigns can be launched quickly, updated on the fly, and with little help from IT. This has created an interesting dilemma. On one hand, technology has won – it has become so easy-to-use that IT has been circumvented! Until something goes wrong.
The worst time for IT to become involved is after things have gone wrongDavid Moeller, CodeGuard
The worst time for IT to become involved is after things have gone wrong. Unfortunately, all too often, this is when they are contacted. CMS systems and websites modified through html editors via web browsers often crash. Perhaps the core installation wasn’t updated and an automated hack commandeered the site. Or a vulnerable plugin was exploited and the site has been defaced. IT is always notified when it has become an emergency. Can this cycle be changed?
Small and large businesses alike can end this cycle by adopting and implementing a three-step approach. First, 10% of employee time should be dedicated to important but non-urgent issues, like training. Without time dedicated to proactive problem resolution, it will never get done. Next, IT must be empowered to provide training to non-IT professionals. Lastly, IT should be supported by either internal or external HR resources, to ensure the training provided accomplishes the goals of making IT less intimidating, more approachable, and generally more understood. There should be accountability, which can be as simple as post-training surveys, to verify and improve training efficacy.
All too often, IT training courses launch into the complexities of IT, advanced networking, internet protocols, client/server relationships – and non-IT professionals are left more scared than ever. Training should be geared towards first developing an understanding of why IT exists within an organization, humanizing the people behind the function, and providing communication and escalation paths.
Once marketing professionals respect the individual IT personnel providing the training, and the IT function, they will be more receptive to in-depth learning. This is the point at which best practices in IT should be explored. Some best practices will be applicable to all employees: personal mobile device security, organization-wide single sign-on usage, etc. Other best practices will be relevant only to a subset, e.g. website IT practices for marketing professionals who are interacting with websites regularly.
There are no silver bullets in training marketing personnel to secure WordPress or other CMS-based websites. It isn’t easy. Even offering training won’t be enough if the training is not conducted in the right way and endorsed by business champions so that HR can provide oversight and ensure it is run properly.