Has security awareness training been up-to-scratch?

"Yesterday's hack is not tomorrow's hack.  If you focused your effort on training people to identify that thing that happened last week...they're not going to spot the thing that's coming next week."

Ahead of teissR3 | Resilience, Response and Recovery Online Summit 2020, Vicki Gavin, The Cyber Coach at The Cyber Rescue Alliance, talks to Sooraj Shah about security awareness training and building a human firewall.

teissR3, taking place 15th - 24th September 2020, is the leading event focusing on how you improve your organisation’s cyber resiliency and adopt best-practice in incident response and crisis management in a post-COVID-19 world. Register your place by clicking here.

Video transcript

Has security awareness training, in general, been up to scratch up until now?

So I have a particular opinion there. We have focused on security awareness training for years. We don't train people. We train dogs. Training is something that is when you want somebody to do the same thing every time they see a particular cue. So when the hammer strikes, do x.

Well, cyber is not predictive like that. The cyber criminals change what they're doing all the time. Yesterday's hack is not tomorrow's hack. And so if you focused all of your effort on training people to identify that thing that happened last week or the week before, chances are, they're not going to spot the thing that's coming next week or next month.

You really have to change what you're doing and think more in terms of awareness. What you want to actually do is build what I call a human firewall. You want every single member of your organisation to be an extended member of your security team. Now obviously, they're not suddenly going to become pen testers or something like that.

But nobody was born an information security professional. We all learnt it. Everybody can learn the basics. And as long as you are educating them appropriately, no problem.

On the topic of education, one of my pet peeves is this notion that somehow cybersecurity professionals are natural educators. These are two completely separate skills. Some organisations are lucky, and they get a CISO who is also a qualified educator. But it's not the norm.

It's really important that, if you're going to develop education and awareness, that you get people who actually understand how people learn and how to convey information in a way that will help them to learn rather than to just give it to the guy who knows the most about security. It's such a ridiculous thing. Why do you expect somebody who's a security expert to be an excellent educator?

Some of them will be just naturally better maybe, as you say.

So I've been a CISO for a lot of years. And I also happen to have a diploma in how to educate adults. That's not the norm. Education is something I started studying long before I started taking an interest in security.