Summary: Effective security training should focus on creating ambient controls that minimize the need for extensive employee training. Organizations can enhance security by integrating risk management into existing processes and encouraging employee involvement. Additionally, using real incidents for education and fostering a culture of security awareness can lead to better outcomes.
training our employees, vendors and customers on important topics to help them protect themselves is important. (View Highlight)
It is a design failure if you are training people because they have to be part of the control framework of a system or have to act like a, so-called, “human firewall”. (View Highlight)
all controls in some way should provide a path to raise concerns so people feel like they’re an active part of the control environment. (View Highlight)
make sure to do the 5 Y’s to really get to the root cause. For example, there was a breach because of a vulnerability in an application server. (1) Why? Because the server wasn’t patched. (2) Why? Because the application software wouldn’t work on the upgraded server software. (3) Why? Because the application hadn’t been updated in 2 years. (4) Why? Because the team that worked on this had been allocated to work on other priorities. (5) Why? Because no-one identified in the budget the need for preventative maintenance on that critical application. (View Highlight)
• Strategic answer: examine how applications, including this one, are identified in the application inventory as being critical and how maintenance budget is, therefore, sustained to reduce the risk of recurrence of such a deadlock. (View Highlight)
The best training of all is a drill, exercise or even a live-fire event. Having drills and exercises that get as close to reality as possible and test your people as well as your systems is ideal. (View Highlight)
Make security specifically, or risk management more generally, a factor in how people’s performance is assessed and how different levels of promotion readiness are evidenced. (View Highlight)