A Cybersecurity Aware Workforce (Part1)
Balance the force of your security training awareness program to produce Jedi warriors.
I spent about six years as the Command Training Officer for two separate Naval Security Group Activities before I retired from active duty. These are now known as Naval Information Operations Commands which only goes to show time has passed. During this passing of time our need for greater awareness of cybersecurity issues has grown exponentially. What I learned about organizational training programs is no one method works for everyone. Adult learners who are force fed awareness training can quickly become your biggest critic and will look at you like as if you are Jason from Friday the 13th.
These dynamic challenges coupled with outside drivers you cannot control (compliance/regulatory requirements) present you the greatest opportunity to create an outstanding awareness program. How do you get from mediocre to outstanding? Creative thinking and analysis of your organization’s workforce dynamics (how they work, accomplish goals, interact with others, and achieve results). You also need to know what to protect, what is vulnerable, and allow you to also learn from others. This will give you a baseline starting point to create an outstanding awareness program without becoming the villain where you can grow Jedi cyber warriors and get support from the Force (C-Suite). We’ll look at these elements in no specific order in this three-part series.
Keep up with technology
Is your awareness program still focused on the same problems identified in 1980’s and 90’s? Are you using the same training video you picked up at a conference 5 years ago that was old when you got it? We can all readily identify some problems that haven’t changed in the past 30 years like passwords and user susceptibility to social engineering. However, there are a lot of new challenges your awareness program needs to focus on. Maybe they are 1st World problems like not having the latest smartphone. Don’t overlook current trends that affect your security awareness program.
Don’t forget one of the key elements of an awareness program is understanding what awareness means and what it does not mean. Awareness is increasing your target audiences understanding and basic knowledge; so for a cybersecurity focused awareness program you want to increase their understanding/knowledge of the problems you face collectively as an organization, their potential impact and how they can help protect your enterprise. You want them to be able to recognize a problem not necessarily know how to fix it. Think about “Mindy Parks” the imagery analyst in the bestselling book “The Martian” and now a box office hit who recognized changes in the images on Mars she was looking at that might indicate “Mark Watney” was still alive. She did not have the solution to the problem but she recognized there was a problem. That’s what you want your work force to be able to do. Recognize there is a problem and know they need to tell someone…the right someone so we can start working out the details on how to get “Mark Watney” home safe. Awareness is not teaching them how to become a security professional although that would make our jobs easier and might eliminate your job all together…so be careful J.