WEBVTT

00:00:01.100 --> 00:00:03.540
Let's take a look at security awareness training,

00:00:03.540 --> 00:00:08.300
part of Security Operations for Certified in Cybersecurity.

00:00:09.600 --> 00:00:12.750
This course was divided into four section,

00:00:12.750 --> 00:00:17.450
data security, security operations and administration.

00:00:17.760 --> 00:00:21.410
Now we'll take a look at security awareness training before

00:00:21.410 --> 00:00:24.190
we review exam review tips and techniques.

00:00:25.310 --> 00:00:30.330
One of the things to remember is that there are golden security keys.

00:00:30.330 --> 00:00:35.510
These are the security keys that will make a security program

00:00:35.600 --> 00:00:38.830
much more likely to actually be successful.

00:00:39.430 --> 00:00:44.600
The first thing is that in order to have a good security program,

00:00:44.610 --> 00:00:48.340
you really need to have senior management support.

00:00:48.780 --> 00:00:50.200
If they don't support it,

00:00:50.540 --> 00:00:53.330
then most employees will just kind of shrug their

00:00:53.330 --> 00:00:55.380
shoulders and ignore it as well.

00:00:55.900 --> 00:01:00.940
And that support should be active and demonstrated as well.

00:01:02.070 --> 00:01:03.060
In addition,

00:01:03.070 --> 00:01:07.910
the second key is that security must be seen to be

00:01:07.910 --> 00:01:11.190
aligned with and to support the business.

00:01:11.190 --> 00:01:12.550
In the end,

00:01:12.550 --> 00:01:17.850
if there's ever a debate about operating the business or being more secure,

00:01:18.130 --> 00:01:22.330
you know that security will lose that debate every time.

00:01:22.330 --> 00:01:28.310
In the end, the business exists in order to meet its mission and objectives.

00:01:28.750 --> 00:01:33.640
Security is just there to help the business to meet its mission and objectives.

00:01:33.920 --> 00:01:36.880
And if it's seen that security gets in the way,

00:01:36.880 --> 00:01:37.480
oh,

00:01:37.480 --> 00:01:43.600
then very much we can see that people start to bypass and ignore all

00:01:43.600 --> 00:01:46.440
of the things that the security people are saying.

00:01:46.440 --> 00:01:50.180
It gets to the point that security is seen like a dog

00:01:50.190 --> 00:01:56.060
that is barking several miles away, and that dog barks and barks,

00:01:56.060 --> 00:01:58.850
and everybody sort of says I wish the dog would be

00:01:58.850 --> 00:02:02.120
quiet because it's not doing any good.

00:02:02.350 --> 00:02:05.600
It's not talking about anything that really matters.

00:02:05.600 --> 00:02:11.720
And we don't want to be seen as security dogs just quite simply barking

00:02:11.850 --> 00:02:17.110
without people recognizing the value of what security is.

00:02:17.510 --> 00:02:22.430
Therefore, it has to be seen that we are supporting business goals as well.

00:02:23.030 --> 00:02:28.570
Now the third thing is the best control is security awareness.

00:02:29.110 --> 00:02:32.350
We've seen this through a number of different studies where

00:02:32.350 --> 00:02:35.210
they've seen that of all the things that can help the

00:02:35.220 --> 00:02:37.790
organization to be more secure,

00:02:38.140 --> 00:02:43.790
all of the tools and technologies and contracts and applications,

00:02:43.790 --> 00:02:49.060
the one that works best is actually to work with our people,

00:02:49.060 --> 00:02:54.520
that is to create a culture of security to let everybody

00:02:54.520 --> 00:02:57.970
know that what they do is important,

00:02:57.970 --> 00:03:01.720
that actually security is a part of their job,

00:03:01.720 --> 00:03:05.850
and the way they do things should be in a secure way.

00:03:06.560 --> 00:03:09.240
So security awareness is important.

00:03:09.700 --> 00:03:11.010
We have, of course,

00:03:11.020 --> 00:03:17.500
awareness that creates a recognition or recognization of what's important,

00:03:17.570 --> 00:03:20.670
what the risks are, what the policies are,

00:03:20.670 --> 00:03:26.530
and, of course, creates a sensitivity for everybody to know what to look for.

00:03:26.530 --> 00:03:29.110
What are the things that could go wrong?

00:03:29.110 --> 00:03:33.800
And that way, everybody becomes a part of our security team.

00:03:34.400 --> 00:03:39.380
Many of us have seen this, for example, the sayings on posters.

00:03:39.380 --> 00:03:42.160
If you see something, say something.

00:03:42.160 --> 00:03:45.130
And that's really what awareness does.

00:03:45.200 --> 00:03:46.930
So people are watching,

00:03:46.940 --> 00:03:50.770
and they would notice if there's something a little bit off.

00:03:50.770 --> 00:03:53.620
That is not the same as training.

00:03:53.630 --> 00:03:58.260
Training is working with our staff so they know how to do their job,

00:03:58.270 --> 00:04:01.950
how to use a certain tool, how to use a certain application,

00:04:01.950 --> 00:04:03.190
for example.

00:04:03.450 --> 00:04:09.370
And education is teaching people how to make good decision‑making skills.

00:04:09.380 --> 00:04:15.500
So we quite often you can see here a progression from the awareness

00:04:15.500 --> 00:04:19.250
level to a training level to an education level.

00:04:20.010 --> 00:04:23.490
Everybody should have security awareness training.

00:04:24.560 --> 00:04:27.020
When we talk about security awareness,

00:04:27.520 --> 00:04:31.930
the goal of this is to change people's beliefs.

00:04:32.620 --> 00:04:37.890
If I can change people's beliefs so they believe that security is a good thing,

00:04:38.080 --> 00:04:41.460
that is going to change their behavior because people

00:04:41.470 --> 00:04:43.310
act according to their beliefs.

00:04:43.310 --> 00:04:47.530
And so we influence and change behavior in that way.

00:04:48.160 --> 00:04:50.780
The awareness program should be convincing.

00:04:51.300 --> 00:04:54.850
It should be something that allows people to see and

00:04:54.850 --> 00:04:57.940
recognize that what we're saying is important,

00:04:57.940 --> 00:05:02.020
not just trying to be troublesome, for example.

00:05:02.020 --> 00:05:03.220
Through this,

00:05:03.220 --> 00:05:08.140
we create a sensitivity to issues so people now are

00:05:08.140 --> 00:05:11.310
aware when there's something; whereas, in the past,

00:05:11.310 --> 00:05:14.210
maybe they didn't recognize that this actually was,

00:05:14.210 --> 00:05:16.880
should we say here, not a good thing.

00:05:16.880 --> 00:05:18.960
But there's another side to this.

00:05:19.680 --> 00:05:22.700
The other side to this is that when we've told people,

00:05:22.700 --> 00:05:25.580
now they are accountable for what they do.

00:05:25.580 --> 00:05:27.560
If I've never told somebody,

00:05:27.560 --> 00:05:31.590
I can't expect somebody to know something if they've never been told.

00:05:31.590 --> 00:05:37.020
But once I've told them, well, now they are accountable for their actions.

00:05:37.080 --> 00:05:38.370
And so in one way,

00:05:38.370 --> 00:05:44.170
security awareness brings a greater responsibility to each individual as well.

00:05:45.580 --> 00:05:50.100
When we talk about awareness programs, they should be timely,

00:05:50.100 --> 00:05:52.660
talk about the things that are happening today.

00:05:53.210 --> 00:05:57.790
We don't need to talk about things that were the problems of 20 years ago.

00:05:58.190 --> 00:06:01.790
But we should very much have little messages that come

00:06:01.790 --> 00:06:05.110
out about today's issues of ransomware, DDoS,

00:06:05.110 --> 00:06:08.640
bring your own device, advanced persistent threats.

00:06:08.940 --> 00:06:11.510
Talk about the things that they are seeing in the

00:06:11.510 --> 00:06:16.580
newspaper or hearing on the news, and let them know how our organization,

00:06:16.580 --> 00:06:18.320
we're aware of these things,

00:06:18.320 --> 00:06:22.040
and we certainly are working to try and prevent them from getting in.

00:06:22.900 --> 00:06:29.030
One of the things I noticed with having children is that very often it

00:06:29.030 --> 00:06:32.470
wasn't enough to tell them about something once.

00:06:32.470 --> 00:06:38.050
It was good to actually repeat that message until they remembered it.

00:06:38.500 --> 00:06:41.450
And so that message should be consistent,

00:06:41.450 --> 00:06:46.470
but also should be repeated, so it becomes ingrained in them.

00:06:46.480 --> 00:06:49.710
It becomes a part of their belief system as well.

00:06:50.190 --> 00:06:53.460
And so we should have a security awareness program,

00:06:53.460 --> 00:06:58.940
which isn't just once a year of a boring meeting where somebody stands up

00:06:58.940 --> 00:07:01.580
in front and tells everybody they're doing things wrong.

00:07:02.060 --> 00:07:02.810
No.

00:07:02.820 --> 00:07:06.070
Our security awareness program should be exciting,

00:07:06.070 --> 00:07:06.730
alive,

00:07:06.730 --> 00:07:11.220
talk about what's going on so people actually may perk up and

00:07:11.220 --> 00:07:13.560
take an interest in what we're doing as well.

00:07:14.500 --> 00:07:18.200
When we do awareness, we should encourage attendance.

00:07:18.200 --> 00:07:22.450
And one of the secrets to this‑‑‑ I remember I was taken to a

00:07:22.450 --> 00:07:26.870
large organization who wanted to have all other staff attend

00:07:26.870 --> 00:07:29.000
this security awareness program,

00:07:29.000 --> 00:07:33.110
and the attendance of the first couple of sessions was really,

00:07:33.110 --> 00:07:37.680
really poor, nowhere near the number of people that should have been there.

00:07:37.680 --> 00:07:40.280
We were counting on 150 in each session.

00:07:40.280 --> 00:07:42.400
We were lucky if we had 30.

00:07:42.400 --> 00:07:46.770
And I went to the organizer and I said you know

00:07:47.100 --> 00:07:50.230
that you have to get the CEO here.

00:07:50.230 --> 00:07:52.030
And he said no.

00:07:52.030 --> 00:07:53.450
He literally was shaking.

00:07:53.450 --> 00:07:55.610
He says I can't go to the CEO about this.

00:07:56.070 --> 00:07:57.950
I said the CEO paid for this.

00:07:57.950 --> 00:08:01.580
The CEO signed off on having this done.

00:08:02.180 --> 00:08:06.470
I said you need to go and make sure he is in the next session.

00:08:06.470 --> 00:08:10.480
And shakingly he went. And certainly what happened?

00:08:10.700 --> 00:08:12.250
The CEO showed up.

00:08:12.250 --> 00:08:15.330
But you know what happened with every session after that.

00:08:15.900 --> 00:08:19.320
Well, then we were full to capacity with standing room only.

00:08:19.320 --> 00:08:19.890
Why?

00:08:20.240 --> 00:08:23.420
Because there's no one who could say well I was too busy.

00:08:23.420 --> 00:08:26.420
If the CEO can take time to come,

00:08:26.430 --> 00:08:30.250
you know that everybody else better find the time to come as well.

00:08:30.250 --> 00:08:33.120
And so, we should encourage attendance.

00:08:33.120 --> 00:08:35.000
And in fact, in some cases,

00:08:35.000 --> 00:08:39.669
if we want to be certified by something like an IS0 27001,

00:08:39.990 --> 00:08:41.450
this is actually a requirement.

00:08:41.450 --> 00:08:47.230
We have to show that our people were then given a security

00:08:47.230 --> 00:08:50.860
awareness program at least once a year.

00:08:50.860 --> 00:08:52.130
But things get boring.

00:08:52.770 --> 00:08:54.200
I love posters.

00:08:54.200 --> 00:08:57.960
You know posters are a little bit funny and a little humorous sometimes.

00:08:57.960 --> 00:09:01.300
But after 3 days, posters become wallpaper.

00:09:01.300 --> 00:09:03.420
And so we could think that, well,

00:09:03.420 --> 00:09:05.970
the best way to get the message across is through a poster.

00:09:05.970 --> 00:09:06.820
It's a very good way.

00:09:07.420 --> 00:09:09.220
But that's not the only way.

00:09:09.810 --> 00:09:13.370
Maybe we need to do something that pops up on a personal

00:09:13.370 --> 00:09:14.870
screen first thing in the morning.

00:09:14.870 --> 00:09:16.830
Here's your security tip of the day.

00:09:17.510 --> 00:09:21.490
Maybe we need to‑‑‑ I like how one company did this at a conference.

00:09:21.490 --> 00:09:26.370
As you were walking around, they handed everybody a little pad of Post‑it notes.

00:09:26.370 --> 00:09:31.830
And on the Post‑in note in a watermark, it said no passwords here.

00:09:32.450 --> 00:09:36.290
What a great fun way to get the message across to everybody.

00:09:36.620 --> 00:09:41.630
And of course, so use different delivery models that'll appeal to

00:09:41.630 --> 00:09:45.160
different people's, should we say, sense of learning as well.

00:09:45.980 --> 00:09:50.420
Talk about things that are practical. Don't make it theoretical.

00:09:50.430 --> 00:09:52.920
But instead, talk about this is what's happened.

00:09:53.150 --> 00:09:53.940
For example,

00:09:53.940 --> 00:09:59.400
an example from other organizations or even within our own organization

00:09:59.950 --> 00:10:04.040
so that people can apply with they're hearing, and that makes it much

00:10:04.040 --> 00:10:07.230
more understandable and real for them as well.

00:10:08.050 --> 00:10:10.950
One of the problems we often do is to make security

00:10:10.960 --> 00:10:15.790
impossible. We almost convince people that we can't win

00:10:15.790 --> 00:10:18.010
because the hackers are smarter than us.

00:10:18.310 --> 00:10:23.310
And we put unrealistic requirements on people, such as the old one

00:10:23.310 --> 00:10:28.020
about passwords. I gave that quote in the last module,

00:10:28.390 --> 00:10:28.880
you know,

00:10:28.880 --> 00:10:34.640
from Bruce Schneier. We tell everybody to choose an impossible

00:10:34.640 --> 00:10:37.060
password to remember, but never write it down.

00:10:37.460 --> 00:10:39.040
Well, that doesn't work.

00:10:39.330 --> 00:10:40.890
So instead, what should we do?

00:10:40.900 --> 00:10:43.360
We tell people here's how to choose a good password.

00:10:44.020 --> 00:10:46.780
Have a favorite song, favorite poem.

00:10:47.440 --> 00:10:52.440
Maybe, for example, take the first letter of each word in say,

00:10:52.440 --> 00:10:53.090
for example,

00:10:53.090 --> 00:10:58.370
our favorite song. That can easily make a password out of that that would be

00:10:58.370 --> 00:11:02.490
difficult to remember and would meet all of the rules for it.

00:11:03.180 --> 00:11:06.020
We make a password out of that that would be difficult to

00:11:06.020 --> 00:11:09.570
guess, and yet we can easily remember it.

00:11:10.070 --> 00:11:13.860
And of course, that makes security possible for people.