Has security awareness training been up-to-scratch?

“Yesterday’s hack is not tomorrow’s hack.  If you focused your effort on training people to identify that thing that happened last week…they’re not going to spot the thing that’s coming next week.”

Ahead of teissR3 | Resilience, Response and Recovery Online Summit 2020, Vicki Gavin, The Cyber Coach at The Cyber Rescue Alliance, talks to Sooraj Shah about security awareness training and building a human firewall.

teissR3, taking place 15th – 24th September 2020, is the leading event focusing on how you improve your organisation’s cyber resiliency and adopt best-practice in incident response and crisis management in a post-COVID-19 world. Register your place by clicking here.

Video transcript

Has security awareness training, in general, been up to scratch up until now?

So I have a particular opinion there. We have focused on security awareness training for years. We don’t train people. We train dogs. Training is something that is when you want somebody to do the same thing every time they see a particular cue. So when the hammer strikes, do x.

Well, cyber is not predictive like that. The cyber criminals change what they’re doing all the time. Yesterday’s hack is not tomorrow’s hack. And so if you focused all of your effort on training people to identify that thing that happened last week or the week before, chances are, they’re not going to spot the thing that’s coming next week or next month.

You really have to change what you’re doing and think more in terms of awareness. What you want to actually do is build what I call a human firewall. You want every single member of your organisation to be an extended member of your security team. Now obviously, they’re not suddenly going to become pen testers or something like that.

But nobody was born an information security professional. We all learnt it. Everybody can learn the basics. And as long as you are educating them appropriately, no problem.

On the topic of education, one of my pet peeves is this notion that somehow cybersecurity professionals are natural educators. These are two completely separate skills. Some organisations are lucky, and they get a CISO who is also a qualified educator. But it’s not the norm.

It’s really important that, if you’re going to develop education and awareness, that you get people who actually understand how people learn and how to convey information in a way that will help them to learn rather than to just give it to the guy who knows the most about security. It’s such a ridiculous thing. Why do you expect somebody who’s a security expert to be an excellent educator?

Some of them will be just naturally better maybe, as you say.

So I’ve been a CISO for a lot of years. And I also happen to have a diploma in how to educate adults. That’s not the norm. Education is something I started studying long before I started taking an interest in security.

Copyright Lyonsdown Limited 2021

Top Articles

The silent weapon: uncovering the threats of adversarial AI

Organisations concerned about rising threat levels from the criminal use of AI should consider deep learning as a defence

Addressing cyber-resilience gaps across key infrastructure assets

While no single security tactic will give you 100 per cent protection, there is a way to foster a defence-in-depth approach.

Will 5G Accelerate Cybercrime?

If you pay attention to such things, the press coverage of the ongoing roll-out of the 5G network in the UK has been dominated by two subjects.

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]