Conferences & Events
Events for all Levels and InterestsStay
Jump Start Your Career GrowthStay
Get on the Higher Ed IT MapStay
Uncommon Thinking for the Common Good™Stay
Security Awareness for IT Staff and Developers
Lance Spitzner is the training director for SANS Securing the Human.
A common misconception, including among security professionals, is that if someone is technical, they must be secure. If someone knows how to code in Python, configure a Unix server, or maintain a network of routers, then they must be secure. Unfortunately, that is not the case. In fact, technical individuals often pose a greater risk to an organization than general users because of their privileged access. They develop the code that faces the Internet, the servers that maintain databases, or the routers that transfer information. Often these individuals not only require security awareness training but advanced security training designed specifically for their roles.
Lance Spitzner on Data Privacy Awareness
A common challenge many schools share is protecting the privacy of their students. Institutions maintain a surprising amount of highly confidential student information including medical, financial, personal, and educational data. As a result, institutions have to comply with numerous regulations including HIPAA, FERPA, or GLBA. Remembering all of these different compliance rules and regulations can be confusing or overwhelming for faculty and staff. However, if you take a step back, many of these regulations have the same goal–protection of private information. In addition, the steps people are expected to follow in order to protect data are often the same.
Advice from Lance Spitzner on Information Security Careers
I often get requests asking how to get started in information security. I can't blame people, it is an extremely exciting field. What I like most about it is that everything is so new; often there are no rules on how to do things. You make the rules up as you go along, almost like blazing a path in the wild jungle just as the explorers did hundreds of years ago.
Here are some suggestions on how to get started based on my experience. I feel these work regardless if you are an existing IT person or coming from a different field. Personally, my background was a History major that spent four years in the Army driving around in tanks, so if you have the passion anyone can get started in this field.
The Law of Scheduling (or The 5% Rule)
There are two ways to deliver security awareness training: Scheduled or On Demand. Scheduled is what you think of for traditional training. A specific time and specific place are set for people to attend the training, such as an onsite presentation or a scheduled webcast. On Demand is training that allows people to take it when they want to, such as with Computer Based Training (CBT).
The Real Reason the Human is the Weakest Link
Computers and mobile devices store, process, and transfer highly valuable information. As a result, your organization most likely invests a great deal of resources to protect them. Protect the end point and you protect the information. Humans also store, process, and transfer information. Employees are in many ways another operating system -- the HumanOS. Yet if you compare how much organizations invest in securing people compared to computers and mobile devices, you would be stunned at the difference. Let's take a look. Organizations typically invest the following in protecting an end device, including:
Cloud Security Awareness
Cloud computing is similar to the Bring Your Own Device (BYOD) syndrome. You can fight it all you want, but sooner or later your organization will most likely have to accept it. A common failure with securing the Cloud is that most organizations focus on only the technical controls, such as where is the data stored or when and how is the data encrypted. However, you must also train and educate the very people using this technology or you can expose your organization to tremendous risk. Technical controls can only do so much. The following are some of the key awareness points to consider.
1. What Is The Cloud?
First, don't assume everyone in your organization knows or understands what the Cloud is. Before you start explaining policies for Cloud, explain what it is and how it works. Consider including examples; people may not realize that Google Docs or Dropbox is the Cloud.
2. Is The Cloud Allowed?
Security Awareness on Social Media
Social media is one of the fastest growing areas of online activity, and one of the fastest growing areas for malicious cyber activity. Even if your organization blocks access to social media sites, there are a tremendous number of risks you have to make your faculty, staff and students aware of. Here are some of the key points we recommend in any awareness program concerning social media sites.
Selecting Topics For Your Awareness Program
A common challenge most organizations face when building an effective security awareness program is determining which topics to communicate. Too often organizations try to teach too much, with little if any effort in identifying which topics have the greatest impact. Keep in mind you most likely face several limitations. The first is many organizations are limited to thirty minutes or less in their initial training. Every minute of lost work quickly adds up as a result management may put restrictions on how long the training can be. In addition you will be competing for time against other types of training (sexual harassment, ethics, etc). Also keep in mind people can only remember so much. The fewer topics you focus on, the more you can reinforce those topics and the more likely you will change behaviors. If you try to cram too much information people will simply become overwhelmed and most likely forget it all.
Where To Start When Building an Awareness Program
When it comes to security awareness, a common challenge I find is organizations have focused so much on getting management support, budget and materials that when they are ready to start they have not yet thought of how to begin. One of the best places to start is building your team, a steering committee if you like. The purpose of this team is to help guide your program in the years to come. Not only can members provide input, but they can also become owners and champions for your program. Keep the team simple, you are not required to regular meetings or even be physically together, perhaps something as simple as quarterly Skype conferences. Also, keep the team small, I suggest no more then 5-7 people. Anything larger and consensus building becomes almost impossible. Some key departments I recommend are
Security Awareness Program Deployment Package - Download Now
Just wanted to make you aware of a new, free resource Securing The Human is providing the community. We have put together a package that contains a variety of materials to help you plan and deploy your awareness program. Examples include an awareness survey, execution template, execution checklist, compliance requirements and other materials. Many of these resources are based on our 2 day course MGT 433, which teaches organizations how to build effective awareness programs. Feel free to use this and any other resources at http://www.securingthehuman.org/resources/planning.
If there are any other resources you would like to see added to help you with your awareness planning, please let me know at firstname.lastname@example.org.