Hord Tipton is quoted in a rather curt piece on GovInfoSecurity referring to the "Need to provide federal employees awareness training more often than once a year because of the ever-changing challenges IT security presents". Right-on Hord! I realise I'm quoting a small extract from a short piece about a press interview, but still there's much more to it than Hord's statement implies. I hope you'll forgive me a short but passionate rant ...
1. It's not just federal employees who need more than once-a-year training. The same applies to everyone, including employees (staff, managers, IT professionals, temps, contractors, consultants, auditors ...), students, retired people and other ordinary members of the general public. And yes, even CISSPs. A once-a-year training session falls way short of what any rational professional would call Continuous Professional Education.
2. What is "awareness training" anyway? In my experience, it's management doublespeak for a lecture at the troops - a broadcast, a sermon maybe, but almost invariably tedious, dull and worse than that, annoying to all concerned. Management get to spout off at the workforce about what they should and should not do. They lay down the corporate law, usually with implied or explicit threats to thrash the message home. Such sessions take time out of busy worklives, and are attended under sufferance (not because the audience actually want to go along and learn new stuff, but because they are told in no uncertain terms that they "just have to go"). Conceited or naive managers tick the compliance box that says "Security awareness - done" and move onto 'more important things'. In reality, what I'm talking about is neither awareness nor training. It's an amateur attempt at brainwashing. It shows an amazing lack of creativity and understanding of human psychology. The only motivation it achieves is to encourage staff (and, I bet, some managers) to find ways to evade future sessions.
3. IT does indeed present ever-changing challenges, but so too does the organization, its business, the commercial & regulatory environment, the people, the compliance obligations, the consequences of failure, the hackers, the malware, the criminals, the competitors, the peers, the partners ... Oh and, by the way, it's not just a matter of IT security. Information security takes in the obvious things such as indiscreet conversations and leaving sensitive papers on public transport, but more subtly it concerns protecting information assets, meaning the information content, the meaning,the knowledge, the expertise and experience - which goes way beyond the data or IT.
Surely by now we all know annual awareness sessions simply don't work. It's really not hard to poke giant holes in the concept but why does this ridiculous "annual awareness" thing refuse to lay down and die? I doubt any CISSP would seriously contend that subjecting employees to an "awareness training session" (whatever that might be) is going to achieve anything beneficial past the first few weeks, days, hours or minutes, let alone persist until the next year's session. Would you allow someone to drive a car on the basis of a "driving awareness training session" once a year? Would you be happy to don the face mask and place your most valuable personal assets in the hands of a surgeon who did a "surgery awareness training session" nearly a year ago? It's totally nuts, yet it keeps coming up like a dreaded zombie back from the grave to haunt us.
What concerns me most is that merely repeating the phrase (which I appreciate, ironically, is exactly what I am now doing) "annual security awareness training sessions" furthers the myth that that's what is meant by security awareness and/or security training, which are in fact quite distinct ideas. Worse still, since we all know that these annual sessions are a worthless and insufferable waste of time, it implies that both security awareness and security training are also worthless and insufferable. Doh! That's a classic example of throwing the baby out with the bath water.
Consider for a second the modern aircraft and its pilot. The cockpit is stuffed full of the most amazing technical wizzardry, designed to make flying as safe, cost-efficient and generally pleasant as possible for all involved, a large part of them designed to make the pilot's job simpler and easier than ever ... yet we don't let just anyone sit in the hot seat and fly us to Barbados. Pilots undertake intense training courses on the ground before even taking to the skies, and then are required to clock so many hours flying experience before being granted the privilege of becoming a qualified pilot - and yes it is a privilege that carries a heavy responsibility. They have further on-the-job training and flight simulator exercises to complete, and regular assessments to keep them up to date with the latest technologies, flight rules and so forth, throughout their careers. They meet and converse with other pilots, taking an interest in new risks and opportunities in flying. They develop a very personal passion or love for what they do. They get it.
OK, now switch scenes to the average corporate "end user" (surely a perjorative term, but quite apt in this context) - largely untrained, almost always unqualified and yet sat there in the hot seat playing with corporate and personal information assets with hardly a thought as to their protection or security. The PC is merely a tool to him, one that belongs to the evil corporation that makes him work for a living. Are we surprised they don't get it at all, even right after one of those dreadful "annual awareness training sessions"?
Right, switch scenes again to the classic geek hacker, all tattoos and piercings and black hoody - self trained, knowledgeable, committed and yes intensely passionate about what he does, with a deep fascination and respect for the technology. His PC is an art form, a thing of joy, an altar even. He inhabits a parallel universe to the end user. When end-user-man knocks off work at 5pm and traipses dejectedly home, the last thing he wants to do is "sit in front of the bloody PC all night", whereas that's exactly what geek-hacker enjoys most. Once the bytes start flying, the endorphins are released and before he knows it, it's dawn and time to get ready for work.
In computer security terms, it's a seriously unfair fight. In the blue corner, end-user man just wants to do his job and have an easy life. In the red corner, geek hacker wants to pwn his b0x, and has the tools, expertise and motivation to get it (and these days, someone wants to pay him serious money to do it for him). Meanwhile, the poor old security manager does his best to gee up end-user-man from the sidelines but knows there's not going to be a pretty ending.
Well maybe I've seriously over-stretched that analogy and taken the parody too far but what I'm really getting at is that end-user-man desperately needs effective information security awareness and training to:
- Inform him about the information security risks all around him, in terms he can relate to;
- Show him how to recognise and tackle those risks, in pragmatic terms he can actually use;
- Give him the skills and tools to do stuff securely, and the sense to report stuff that is patently not right;
- Motivate him to take an interest in protecting both the corporation's information assets and his own;
- Remind him of his obligations, meaning accountability and responsibility towards behaving securely;
- Light that spark of passion, that interest and feeling of control over his own destiny, that will enable him to take the fight to the other corner. Until and unless we get to this stage, constently and repeatably, "awareness training" is doomed. We'll never create a security culture by shouting it down employees' earholes once a year.
That's it, relax, rant over. Now it's your turn. What do you think?
P.S. Even mighty SANS refers to "awareness training" and "at least an annual basis". At the bottom of the latest SANS list of 20 Consensus audit guidelines is one recommending Security skills assessment and training to fill the gaps. The SANS advice includes: "Organizations should develop security awareness training for various personnel job descriptions. The training should include specific, incident-based scenarios showing the threats an organization faces. The training should reflect proven defenses for the latest attack techniques. Organizations should devise periodic security awareness assessment quizzes, to be given to employees and contractors on at least an annual basis, determining whether they understand the information security policies and procedures for the organization, as well as their role in those procedures."