Security Awareness and Training, Part 1: Development
Ask any security professional and they’ll tell you that users are the most significant threat to an organization. It’s a common notion in the cybersecurity community that people are the weakest link in the security chain. This is due in large part to the traditional access control model in which authenticated users are granted certain privileges when they’ve presented valid credentials. This concept applies to both technical and physical access, both come with their own set of potential risks. Today’s organizations cannot adequately protect the confidentiality, integrity, and availability of information without providing their user base with the proper security awareness and training materials.
The security awareness and training program is a core component of any successful cybersecurity program. Security is a team effort and requires that all users are trained on security policy, procedures, and techniques, as well as role-specific aspects for those with explicit security responsibilities. To aid organizations in the development, implementation, and management of a successful cybersecurity program NIST developed SP 800-50 which is a great resource on the topic of security awareness and training.
The Security Awareness and Training Continuum
A successful security awareness and training program should consist of the following three components:
Developing a security policy with consideration for organizational mission/business functions and objectives
Informing all users of their security responsibilities, as documented in organizational security policy and procedures
Establishing processes for monitoring and reviewing the security program
Security awareness and training should be focused on the organization’s entire user population, up to and including senior executives. Users look to management for leadership, making it important that man
There are four components in the security awareness and training continuum as defined in NIST SP 800-50:
Awareness – Equip users with the knowledge required to identify, respond to, and report potential security incidents.
Training – Teach users the skills required to securely and effectively perform their job functions.
Education – Integrate security skills to create a multidisciplinary resource for security and non-security professionals alike.
Professional Development – The goal is to ensure that all users possess the knowledge and skills necessary for their roles.
Security Awareness and Training Program Design
This may seem obvious, but it’s easy to overlook; The security awareness and training program should be designed with the organization’s mission in mind. A strong program will be supportive of the business needs and relevant to the organizational culture and IT architecture. Falling short in this area will make it unnecessarily difficult to achieve organizational buy-in, to the great detriment of the security posture. During the design phase, “Awareness and training needs are identified, an effective organization wide awareness and training plan is developed, organizational buy-in is sought and secured, and priorities are established.”
NIST SP 800-50 defines three common models of security awareness and training program structure:
Centralized policy, strategy, and implementation
Centralized policy and strategy, distributed implementation
Centralized policy, distributed strategy and implementation
The right model for your organization depends on factors such as size, geographic distribution, available resources, and culture. You should be sure to give proper consideration for which model would best suit your organization. This is one example where one size does not fit all.
Part 2 of this two-part series will cover the implementation and maintenance of the security awareness and training program, which includes things like the needs assessment, material development and distribution, and measuring program performance.