Ignorant DoctorIf you had a choice between doctors to perform surgery on you, which would you pick:  a doctor who has sat through training on how to perform an appendectomy; or assurance that your doctor will successfully perform your appendectomy?

The answer seems obvious, but on the topic of dealing effectively with human vulnerabilities in cybersecurity, most of us seem satisfied with “awareness training.”  It’s a check-the-box response to regulatory compliance or client demands.   Sign everyone up for an on-line phishing exercise and you’re done.  Yet the consequences of ineffective training can be dire.  You will most certainly lose productivity, you’ll probably lose money, and you may lose the company.

This is not to say that awareness is unimportant.  But raising awareness is just the first step in effective cybersecurity defense.  Employees—and management—must come to understand why and how security incidents occur and learn how to recognize and guard against them.  In other words, you must develop assurance that everyone in your organization is equipped to protect the company and its assets.

Awareness

To focus attention on security.

Training

To convey security skills.

Assurance

To have confidence in your organization’s ability to deter, detect,
respond, and recover from a cybersecurity incident.

Technology is not a Panacea

There are those who argue that people will always fail, and that money spent on training is wasted.    They suggest that it’s no more effective than expecting a teller to protect a bank.  In fact, tellers do protect banks by observing procedural rules and by being the first line of defense against fraudulent transactions.  But I digress.

Here’s why this argument falls short.  Effective training goes well beyond telling employees not to click on a phishing link.  It helps employees understand:

  • why they may be targeted (often because of their job function);
  • what methods of attack are commonly used;
  • when an attack is most likely to occur;
  • how social media use contributes to business email compromise;
  • that small company size or obscurity do not prevent attacks; and
  • what to do if they think an incident has occurred.

Technology can’t solve all information security problems.  Cybersecurity standards all point to a multi-faceted plan of defense that addresses administrative, operational, physical, and technical controls.  The first three of these are driven by people—what they do and how they do it.

Training for Understanding and Action

Having controls is important, but ensuring that your employees understand and can implement them is priceless.  Start by providing training content that fully explains your policies and operational procedures.  Include specific guidance regarding:

  • where to store sensitive information to enable technology protections
  • how and when to dispose of data when it’s no longer required, so it’s not available to be compromised
  • why policies are not “suggestions,” and the potential consequences of ignoring them

Focus training functionally.  Executive management, line employees, administrators, and information technology each have unique cybersecurity risks and responsibilities, and will benefit from a tailored curriculum.

Assurance comes with audit, attestation, repetition, and cultural change.  As the saying goes, you usually get what you pay for.  If you “check the box” for cybersecurity training, then you may get awareness, but little else.  Invest in your people and your organization, by going beyond security awareness to security assurance.