Training and Education
Right or wrong, employees believe that it is up to employers to provide training. Without proper training, employees are generally unaware of how their actions or activities can affect the security of the organization. One of the weakest links in security is the people who work for the company. Social-engineering attacks prey on the fact that users are uneducated in good security practices; therefore, the greatest defense against these types of attacks is training, education, and security awareness (see Figure 3.5).
Figure 3.5 Training and education triad.
Besides security awareness, you might find that your employees need more in-depth training in matters of organizational security. This might consist of in-house training programs that teach new employees needed security skills or the decision to send the security staff offsite for a CISSP education program. Regardless of which program your company decides it needs, you can use seven steps to help determine what type of security training to sponsor:
Establish organizational technology objectives.
Conduct a needs assessment.
Find a training program that meets these needs.
Select the training methods and mode.
Choose a means of evaluating.
Administer training.
Evaluate the training.
Types of training include the following:
In-house training
Web-based training
Classroom training
Vendor training
On-the-job training
Apprenticeship programs
Degreed programs
Continuing education programs
Security Awareness
Awareness programs can be effective in increasing employee understanding of security. Security awareness training must be developed differently for the various groups of employees that make up the organization. Not only will the training vary, but the topics and types of questions you’ll receive from the participants will also vary. Successful employee awareness programs tailor the message to fit the audience. These are three of the primary groups that security awareness training should be targeted to
Senior management—Don’t try presenting an in-depth technical analysis to this group. They want to know the costs, benefits, and ramifications if good security practices are not followed.
Data custodians—This group requires a more structured presentation on how good security practices should be implemented, who is responsible, and what the individual and departmental cost is for noncompliance.
Users—This must align with an employee’s daily tasks and map to the user’s specific job functions.