My eye has been caught once again this afternoon by yet another advertisement disguised as a press release breathlessly informing us that the company can deliver "security awareness training". It seems innocuous enough, but what does this three-word phrase really tell us about them?
Let me explain. I consider myself an information security awareness professional - that is, I help customers improve their employee's awareness of information security matters. Awareness, in my book at least, is a generalized approach, spreading the good word about information security and so leading to a broad company-wide understanding of information security, along with the motivation for employees to behave more securely and help protect valuable yet vulnerable information assets. My aim is very much to establish a widespread but deep-rooted security culture among the workforce, leading to information security being just "the way we do things around here". To be truly effective, the default corporate behavior (even when the boss is looking the other way) has to be security-minded, almost instinctive. I'm not talking about making everyone paranoid security freaks, but something far more subtle: a genuine appreciation of the true worth of information security (both to their employer and to them personally), along with sufficient useful, practical knowledge about typical everyday information security risks and how to deal with them.
To achieve cultural change on this scale takes patience and persistance. For all sorts of reasons, it's not something one can achieve overnight, and the moment we stop pushing, the level of awareness starts to decay naturally. It needs to be delivered continually, barely peeping above the parapet. Furthermore, it takes skill to draw out the essential and meaningful security messages from the great morass of information security issues we all face, and to present actionable suggestions. The real creativity comes not in raising awareness of the basics such as viruses and spam but in confidently tackling more important but narrower and often deadly dull security topics in a way that also brings them to life and makes them resonate with the audience. I challenge anyone to inject some zest into awareness topics such as securing industrial control systems or business continuity planning, no matter how important these issues are.
To me, training is something quite different. It's what we do to performing seals - well OK maybe that's a bit harsh but the fact is that it's a decidedly different method with quite distinct aims to awareness. For a start, training courses usually take place in discrete episodes either in dedicated or temporary training facilities or, these days, through Computer Based Training systems. Either way, students have to set time aside from their working routines to attend - and I use that specific word advisedly. "Attend" means they are physically present, and maybe afterwards they collect a tritle little certificate of attendance establishing that they were there. They didn't necessarily participate or learn, mind you, nor even enjoy the experience. Truly talented passionate trainers or teachers delivering well-designed and constructed training courses can achieve great things, but clearly they are not all in the same league. From what I've seen of them, some CBT course providers evidently make a living turning out mind-numbingly dull voiceovers on crude PowerPoint or Flash graphics, maybe interspersed with some amateurish video footage or even worse childish games and cartoons as if they are teaching pre-schoolers to count. The actual content of security training courses is distinctly variable in scope, quality and effectiveness, but who really cares eh, just so long as the students get their wallpaper and management can tick the "security awareness training" box?
Finally I'd like to point out the first word in the phrase "security awareness training". Does that mean physical security, IT security, national security, or something else? OK, I admit I'm biased here but I consciously and deliberately use the term information security, meaning the protection of valuable information assets (including information, computer data, knowledge, experience, both proprietary and personal, plus the processes and systems used to gather, analyze, output and communicate information) against all manner of risks. Fair enough, "security awareness" is a convenient contraction but little details like that matter to those of us who notice.
So, to sum up, companies promoting "security awareness training" raise serious doubts in my mind regarding their understanding and appreciation of the field, let alone their competence to deliver. I wonder if they have read NIST's standard SP800-50 "Building an Information Technology Security Awareness and Training Program" or the hot-off-the-press the new second edition of Rebecca Herold's outstanding book "Managing an Information Security and Privacy Awareness and Training Program", both of which expound on the difference between awareness and training.
Caveat emptor.
Kind regards,
Gary Hinson www.NoticeBored.com