Awareness, Education, and Training
Thanks to regulatory requirements most everyone in the corporate world in the US is required to have official annual information security awareness/education/training. This isn't a bad thing per se, but I doubt few of us go beyond a stack of presentation slides with 10 multiple choice questions at the end. The compliance box gets checked, sure, but is anyone more knowledgeable about security? Has any risk been reduced?
There are many ways to impart knowledge or skill. Let's break things down at a very high level and all get on the same page. Awareness, education, and training are not interchangable terms so let me be clear on what I mean.
- Awareness covers exposure to information, and not much else. Newsletters, posters, email blasts all fall under awareness. Note there's no requirement that the target of the awareness shows that anything has changed.
- Education requires study and testing. Whether from a stack of slides, a website, a video, or a book knowledge is not only absorbed but you show that it sticks by taking a test.
- Training requires hands-on. Actually doing the thing you're learning about on-the-job or in a lab.
As you can tell, awareness is cheap and can reach a broad audience, while education requires more infrastructure and accountability, and training requiring the most resources and hardest to touch the most people.
I've run awareness and education campaigns over the course of my career. I've stood up in from of 1,400 managers and above and lectured for an hour on the dangers of computer hygiene and the responsbilities of all employees for security. I've built decks and decks of slides to cover all the angles of security for my companies and devised tests that may have actually required critical thinking and understanding of the subject. It checked the checkbox but I doubt it reduced the overall security risk of my employer.
Honestly it's not the primary job of the entire organization to be security experts. That's our job. And the only way we can get through to them is by making the materials relevant to their job. I doubt there are many security programs that have the resources to customize across the entire organization so we must fall back on our primary tool of risk management. Find the high risk populations and deploy appropriate controls.
Shouldn't your Domain Admins know a little more about security than your regular employees? Shouldn't your HR recruiters be better at understanding phishing attacks since they open email attachments from unknown senders all day? Shouldn't the security team recieve the appropriate training to protect the computing environment?
Just as attacks are targeted so must be our education and training. I've done more for reducing risk by having a ten minute phone converstation with a comptroller after a DLP alert than the hour I spent in front of those managers.