A growing number of companies are turning to user awareness training to improve software quality and reduce employee errors at the endpoint.
Fueling the trend are enterprises that are demanding the software development firms they hire adhere to more stringent security standards. In addition, more organizations are finding employee errors can lead to costly fines or worse, a data security breach.
Only days after a Boston-based health care firm founddozens of HIPAA violations, the firms' top executives decided to make an investment in security awareness training for its employees. Meanwhile, a Minnesota-based firm in the business of selling productivity software sought out security training for a dozen of its software developers. Both firms were driven by external factors: a failed audit and a growing demand from customers.
Security awareness training is a growing movement, according to experts and analysts. Failed audits, data breaches and other factors that put intellectual property and other sensitive data at risk has forced companies to try and instill security into its employees, said Rob Cheyne, founder and CEO of Providence, R.I.-based Safelight Security Advisors.
Gary McGrawchief technology officer, Cigital Inc.
"You can't solve all your security issues by only deploying technology," Cheyne said. "Security education needs to be an ongoing initiative to make employees aware that they play a big and important role in keeping the company secure."
Safelight launched its Security Education Blueprint last month at RSA Conference 2011, which helps organizations assess the risk profile of the different groups within the company and cater a security education program to the right employees, Cheyne said.
While Cheyne provides ongoing training programs to end users and IT organizations, he said he gets the biggest thrill teaching software developers secure coding basics. "There are plenty of times where you get that 'Aha! moment,'" Cheyne said. Often times the biggest laggards in an organization aren't end users, but managers and business executives, who need security training the most, he said.
"Organizations need to approach security training in a way that addresses the [way] people and processes interact with one another in the business," Cheyne said. "Every person within an organization has a role to play."
Michael Kaiser, executive director of the National Cyber Security Alliance, a non-profit organization that spearheads the annual cybersecurity awareness month, said he sees a growing movement toward IT security awareness training. Technology only goes so far in protecting valuable assets, he said. The organization started the "Stop, Think and Connect" campaign, aimed primarily at consumers, but also now being used by the Department of Homeland Security to instill security at the federal level.
"We really are collaborating to get this message properly adopted," Kaiser said. "It will take time, but hopefully over time, companies, non-profits, government agencies and other organizations will be using this message and it [will] become part of the public consciousness."
Optimism is growing in the security industry around secure software development improvements, said Gary McGraw, chief technology officer of Washington D.C.-based software security consulting firm Cigital Inc. Larger enterprises are more open to sharing their secure software development processes, so parts of them can be used by smaller organizations, said McGraw, who oversees the Building Security In Maturity Model, a study of nearly 40 real-world security initiatives at large organizations.
McGraw, Sammy Migues, Cigital's director of training and education, and Brian Chess of San Mateo, Calif.-based software security assurance vendor Fortify Software Inc., conducted dozens of interviews to find out the kinds of processes that work over time.
"All of the firms that we've talked to made great progress in terms of the objective measurement of their software security processes," McGraw said. "You like to see companies step up and take responsibility and I think we're seeing more of that today."
Security Awareness Employee Training Essential to Infosec Program: Security awareness training initiatives such as online tutorials, newsletters, MP3s and prizes get the security message across to users.
Security awareness strategy: Weighing optimism vs. pragmatism: Fostering security awareness is a difficult challenge, but as Senior Site Editor Eric B. Parizo writes, the methods may not be as important as the passion to succeed.
Computer security awareness training could prevent some data loss, experts say: An audit of a prominent Boston-based health care firm found serious lapses in employee security awareness.