Is it time to blame the messenger for security training failures?
People in your organisation are probably sharing passwords, using unauthorised devices and applications to access corporate data, and unauthorised cloud stores for good measure. Some won't know this breaches company security policy, others will and won't care. Some of the perpetrators will be on the shop floor, others around the boardroom table; this wilful disregard for secure best practice knows no pay grade boundary. Truth be told, the chances are high that people just don't care about your carefully considered 'security posture' or really give one, let alone two, hoots for the day-to-day security message on a personal level whether it's out in the field or up the executive level.
Now that you've read that admittedly somewhat 'paint it black' introductory paragraph, I urge you to go back and read it again. Please. Consider what it actually means, out there within every organisation, in the real world. All too often, in way too many organisations, the easy option is adopted: if employees don't care about security, if they are going to ignore (or bypass) policy where they can, then why waste time and money on training programs when it can be better spent on group policies backed up by software and hardware that will enforce them and protect the network as best as it can? That is not only a shame, it's also one reason there are so many breaches – large and small.
Shooting the messenger
I'm about to commit Internet heresy now and point the finger of blame firmly at the messenger. Just having a 'strict parent policy' that says no, no and no again with no real explanation as to why, backed up by the technological equivalent of being sent to your room and grounded, is obviously not going to work. In fact it's asking for trouble when your staff know enough, and if they don't then Google and YouTube do between them, to be able to climb out of the analogical window and do whatever it was you were trying to stop them from doing anyway. By adopting this approach you are, in fact, weakening your security posture and not strengthening it. The answer, without any shadow of doubt, has to lay with getting the security message across properly; being a successful messenger.
Seriously folks, call it training, call it education, call it induction policy if you absolutely must, but it all really boils down to two words: awareness and communication. Communicating the security message from the shop floor to the CEO is key to successful awareness of the issues that in turn can help mitigate risks to the business. Get that communication wrong and no matter how much good policy you have poured into your security posturing, no matter how much tech you have on board, it will be for nothing because the awareness of the risk will not be there amongst the lifeblood of your organisation; the people who populate it. So how can you best ensure that your security awareness training methods are a success, that you get these channels of communication open and have them stay open and flow in both in directions?
Actually, it's a lot easier than the apparent rate of failure experienced by those getting it wrong would suggest. Some of the most common communication problems involve not actually communicating security risk with senior executives in any meaningful way, or at least not until a serious risk has revealed itself, yet executives need to be subject to policy just the same as anyone else. Then there's the problem of how that communication is carried out, in far too many cases when surveys are done it is referred to as being 'adversarial' or 'aggressive' in nature and we all know that neither of these is conducive to education or acceptance. Just as bad, many of those same surveys will refer to training as not being relevant to the security risks faced by the business in question. In other words, all too often training is templated and done by the numbers rather than being targeted both at the business and at the point in time. Communications can occur at too low a level and be too siloed, with information too technical to be understood by non-technical management and workers alike.
One thing that does stand out from all of this is that perhaps, and call me a radical if you like, just because you are really good at IT security that doesn't mean you are also really good at training people in IT security awareness. Maybe, just maybe, it's time we started seriously thinking about either training our IT security folk in the art of training before they start talking to anyone. Or maybe we should be outsourcing the task to people who already know how to do it properly?
After all, these days nobody can afford to undervalue the importance of a good education policy. You need to truly take ownership of this issue, even if that means passing responsibility for delivering it to someone else...