This article can also be found in the Premium Editorial Download "Information Security magazine: Trustworthy yet? An inside look at what's changed after a year of Microsoft Trustworthy Computing."
Download it now to read this article plus other related content.
Everyone agrees that security awareness training is critical to managing enterprise risk. Yet most infosecurity practitioners say their training programs are inconsistent at best--and ineffective at worst.
Break room posters, buttons, e-mail newsletters and "tips of the day" are useful for issue-specific training. But they're less effective for long-term understanding and application of the security fundamentals--the stuff we need to get right.
"In the old days, we put together a deck of slides and a script and mailed them out to division managers," says David Stacy, global IT security director for St. Jude Medical, a St. Paul, Minn.-based medical equipment manufacturer with 4,000 employees distributed throughout the world. "We'd tell them they need to communicate the material to their employees.
"The truth of the matter," Stacy adds, "is that you get uneven results. Some managers blow it off, others would spend only 15 minutes on it."
Stacy is among a growing number of infosecurity managers who are supplementing or replacing traditional awareness programs with interactive, computer-based training (see "Securing St. Jude"). While Stacy created his own three-module program with the help of a local e-learning company, some enterprises are turning to traditional infosecurity vendors for interactive training solutions. Vendors such as NetIQ, Red Siren and Commonwealth Films offer a variety of computer-based training and testing modules for security and nonsecurity personnel alike.
In addition to ensuring content consistency--"a Web site doesn't have a bad day," Stacy says--computer-based training helps you keep training expenses in check.
"The costs of T&E were getting too high," says Ron Wallace, manager of information security research and development at FedEx. To reduce costs, Wallace started using several of Red Siren's Infosec University courses to educate his 12-member security team. Junior-level admins take the 100-level basics courses, while senior-level managers take more advanced subject-specific courses, each priced between $130 and $260. Eventually, Wallace hopes to expand the program to include all 45 FedEx IT security staffers.
Blue Cross and Blue Shield of Kansas City recently adopted computer-based security training for a different reason: regulatory compliance.
"HIPAA prompted us to move to a more automated system," says Norma McKelvy, corporate security officer of the 1,100-employee company. "Our employees became more accountable for their actions, and we became more sensitized to the need for them to be more aware."
McKelvy had already deployed NetIQ's VigilEnt Policy Center for policy compliance when, six months ago, she began using the application's security awareness testing module. Intended for all employees, the program runs through the basics of information security and tests staffers on knowledge retention. Among other topics, it covers strong passwords, social engineering and desktop access control.
Perhaps best of all, computer-based training helps companies measure the effectiveness of their awareness program--a major improvement over the traditional "read this, sign on the dotted line" policy. Most training programs come with testing modules and custom reports showing problem areas or gaps in learning.
McKelvy says the proof that employees get it is in their everyday conduct. "At the end of the day, if I see somebody wearing their badge, checking behind them as they walk through the door, locking their workstation--these are the ways I visually measure that we're getting the message across. These things aren't 100 percent measurable on paper, but you know that they're happening."
Security awareness training has always been a tough nut to crack. But with the wide availability of these and other affordable e-learning programs, the tools to engineer meaningful change are only a few clicks away.
About the author:
Andrew Briney is editor-in-chief of Information Security magazine.
This was first published in February 2003