When it comes to successful information security training and awareness efforts, consistency is absolutely essential. What would happen if some of the end-users in your organization had been trained to deal with social engineers posing as third-party vendors, and some of the end-users had not been so trained? Would there not be a significantly increased risk that a social engineering attack would be effective? Separately, would it work to have some personal computers on your internal network protected with the latest antivirus software signatures, but others not? You get the drift.
Instead of a centralized source, what I often see is a decentralized approach to information security training. Consider the case of a large multi-national company listed on the stock exchange. They have document retention and destruction training issued by the Legal Department; they have accountability and logging training issued by the Quality Control Department; and they have third-party access-control privilege training issued by the Human Resources Department. There are thus bits and pieces of information security training coming from different groups, and nothing related to information security coming from the Information Technology Department. This approach is most likely going to be ineffective, because there is no coordinating agent.
MORE INFORMATION ON POLICIES:
What should instead be done, in all organizations of any significant size, is the coordination of information security training through the Information Security Department. This is not to say that all training should be delivered by the Information Security Department. For example, the Human Resources Department can and generally should deliver new hire orientation, and there should be a segment about information security in this orientation. But the information security training needs should be initially assessed, periodically re-evaluated, and on a cross-organizational basis, defined by a centralized group.
Most progressive organizations are achieving this objective through an intranet-based computer-based training (CBT) system. These systems, available from various vendors, deliver selected information-security policy content based on the job needs of the recipient. These systems also provide online tests so that management can be sure that the recipient of the training did indeed understand the material. These tests are handy when it comes to disciplinary actions including termination. The recipients can't reasonably claim that they never saw the policy or that they didn't understand the policy.
If your organization doesn't yet use a centralized approach to information security training, there are four steps that you can take to get on track.
- A broadly-scoped risk assessment can reveal the deficiencies of the current approach. In the organization mentioned above, the lack of a single group with centralized control over information security training would come to light.
- A training-related gap analysis can be used to determine the training messages that are currently being delivered compared to the messages that need to be delivered. The identified causes of this gap in many cases will include the lack of centralized coordination for training.
- The mission statement (or charter) of the Information Security Department should explicitly assign a centralized organization-wide training role to the Department.
- The information security policy should be clear about the organizational unit responsible for providing information security training.
There are many reasons to support distributed and decentralized information security activities. Responsiveness to local needs is just one of them. But even when virtually all information security activities are done on a distributed and decentralized basis, there is still a need for centralized coordination in the area of training as well as in other information security areas.
About the author
Charles Cresson Wood, CISSP, CISA, CISM, is an independent information security consultant based in Sausalito, Calif. He specializes in the development of information security documents including policies, standards, procedures and job descriptions. He is also the author of Information Security Policies Made Easy.
