“Amateurs hack computers, professionals hack people.”
-Bruce Schneier
By now, we all understand the importance of layered security for an organization. I touch on the concept of layering, or defense in depth, in my last post here. Ensuring your network has security controls at each level is very important. However, those controls can be defeated by the very users it is meant to protect. Humans are considered by many to be the weakest link in security.
So, how do we ensure that the human element doesn’t defeat all the work and effort we put into stopping the bad guys? This post will dig into some best practices to really help strengthen the security skills and awareness of the people in your organization.
Changing the image of InfoSec
What do you think of when you think about InfoSec? Firewalls? Security Operation Centers? Incident Response? Forensics? Vulnerability Management?
What if I told you that, for the most part, most of us are omitting a very important part of InfoSec when we think what InfoSec actually is?
You know where I’m going with this. The human element. We spend so much time focusing on the newest security controls that we tend to forget about one of the most important aspects of security, security awareness & training.
It is great to have a highly skilled InfoSec team that understands the threats to your organization. However, that team will be limited in its impact if the entire organization sees InfoSec as an obstacle to their business goals rather than a partner. This will lead to shadow IT, bypassing security procedures, and resistance to security policies.
Investing in inter-team relationships
The last thing we should want, as security practitioners, is to be thought of as those mean people upstairs who will smack you on the wrist for doing something wrong. However, I’ve heard that sentiment from several people within my own organization. InfoSec should be thought of as a partner. A group that your team can go to for assistance, guidance, and be able to leverage. Below, I’ll highlight a few ways that InfoSec can foster these relationships with different areas of their respective companies.
- Listen to business area needs and adapt processes to help them succeed faster.
- Work closely with teams outside of InfoSec to help them be proactive with security, instead of reactive.
- Understand that business needs sometimes do outweigh security needs. This is why there are different ways to handle a security risk, such as acceptance of the risk.
- Focus on the end user and their experience with InfoSec. How can you make their tasks of remediation easier, quicker, and less painful?
- InfoSec should be a partner to help break down roadblocks, explain security risks to management, and drive inter-team efforts to improve the security posture of the entire company. Don’t just hand them a vulnerability and a due date.
While the above is not an exhaustive list of recommendations, I believe it will help spark the thought process on how to foster those relationships. Management within InfoSec should be invested in forming these relationships and helping the overall business be more proactive. After all, effort put into security before production will result in less vulnerabilities after production.
Security awareness & training
Ensuring that users understand security risks and are trained routinely is no small feat. Keeping users engaged with security training can be tough. However, it is not impossible. Diversifying your training and awareness campaigns can really improve the overall engagement and retention of knowledge from users. Be creative and look for engaging ways to train users. This is important information, take your time and invest effort into creating an engaging and educative training environment for users.
Below, I’ll cover some awareness and training tactics. However, as this is not an exhaustive list, don’t be afraid to shake things up. Remember that training should be engaging, entertaining, and educative. You really do not want users to have the same boring CBL module every year that they must complete or get yelled at by their manager.
Awareness & Training tactics
- Gamification – Employ games as part of security training. This can be as simple as creating passwords to test their strength against password crackers. This gives an end user and idea at just how strong their password needs to be as well as a fun little game to see if they can get a high score. However, feel free to create all kinds of games to teach security awareness.
- Phishing campaigns – Don’t just send the same rinse/repeat phishing email. Also, don’t do it at scheduled times that users can guess. You want to shake things up. Provide various examples of real world phishing attempts. Congratulate users who catch the phish and also guide those who do click on it.
- Instructor-led training – I’m not a huge fan of CBL module type security training. From my experience, most users just want to blaze through those as fast as possible to get back to work. Instructor-led training can be more interactive, engaging, and entertaining. Again, make it interesting. Don’t drone on about security. Use stories that users can relate to.
- Achievements & badging – One tactic that I’ve seen that works is through the use of badges and achievements. Providing users with badges they can put in their email signatures, certificates, or achievements can help entice users to go out and proactively train themselves.
- CTF & Hackathon events – What better way to teach security than by giving users a taste of what a bad guy can do? You might also realize you have some very skilled people in your organization who don’t even work in InfoSec. Host a CTF event and allow users to work through challenges. Events like NetWars from SANS are great examples of how to do this.
- InfoSec learning webinars – Have teams throughout your InfoSec department host webinars for the business. It does wonders when business areas can see just how much their SOC does to defend the company. Many times, these other areas of the business don’t truly understand what InfoSec does and how important security is until they see it first hand.
Conclusion
InfoSec has come a long ways in just the time that I’ve been in it. However, I believe that we need to spend more efforts on training users and increasing the overall awareness to security amongst everyone around us. This will take a bit of a shift within InfoSec to value the end users importance with security as they tend to value new security tools and processes.
If you have any thoughts on the above, I’d love to hear them. Feel free to drop a comment below. Best of luck to you on your journey!
Pretty! This has been a really wonderful post. Thank you for providing this information.