Security Training Is BS

How many of you went through your security awareness training for the year? Did it consist of a simple slide show with a quiz at the end—a slide show that covered not even a tenth of your full security requirements and was about as memorable as the rock you went by this morning? Yes, you passed the quiz (as they gave you the slide deck to review); now you are done with security training for the year. This approach to security training is a load of fecal matter, a useless waste of time that teaches no one anything. It is time for a change!

This type of change has been the concept behind a series of podcasts designed to make individuals aware of how to protect their family, self, and funds. It has nothing to do with the organization; instead, it is focused on you, the individual, who has more important things to worry about. In this series of podcasts, we offer some solid actions you can take all year round to provide security for your loved ones and safety for not only your digital life but all aspects of your life.
This is the missing component of most security training. It misses the human; it does not help in day-to-day life. Do your employees know how to protect your bank account? If they did know, would that not also translate to any other account they may have within a business or outside? Would this not at least raise awareness to a level it has not reached for generations? If we cannot reach our individual contributors where it matters to them, then we are not educating them.
Try this on for size:

Unless they own the business, individual contributors do not care about the business. They care about themselves and family.

Take this message to heart and stop using training that is ineffectual because it is unrelated to what is important to employees. Use training that helps them, and both you and your employees will reap the rewards. There are many security education companies available, but which one is right? This is one of the things I will be looking out for at the RSA Conference this year: education companies that actually matter, that help people realize what they need to learn to protect themselves in this digital age.
Think of it this way, and try to answer the following questions:

1. Why does someone learn self-defense?
2. When does someone use self-defense?
3. Do they defend others?

The answers are simple: people learn self-defense to defend themselves, they use it when threatened, and they often defend others if they are relatives or friends. Yet, when it comes to cyber-security training, no one looks at it as self-defense but as a way to defend the citadel, the ivory tower. The current mindset for security training centers on telling people they need to be smarter about defending something they do not own, something they are only peripherally a part of, something they may not even care about. After all, it is a job, not their life.
This is where things need to change. We need to consider how to educate people about security, using security training that shows them how to defend themselves and their family. We need to work within human nature, not against it.
This is why training needs to change. Long gone are the days when security discussions were nothing but yak shaving. Long gone are the days when we bolted on security. It is too important now. It is everyone’s business. Those who ignore security as part of early-stage development or who expect someone else to do it are part of the problem and not the solution. This prompts two major questions:

1. How do we find those who are not properly trained?
2. How do we provide the proper security training?

We have provided some guidance in answer to #1, but #2 is a growing concern. Have a listen to the video podcasts and let me know your thoughts. Finding more answers to these questions is going to help those who are creating security training.