Eddy is a leader in Kalles Group’s cybersecurity and risk management practice. He provides complex technical project leadership expertise in building enterprise security solutions for our clients.
Securing an Enterprise environment means securing all aspects of the environment. In most cases, the effectiveness of one control directly contributes to the strength or effectiveness of another control. Enterprise security is only as strong as the weakest link. Ask any security practitioner and they will most likely tell you that the human element or user behavior is the weakest link in enterprise security. With October’s Cyber Security Awareness in full swing, here’s three tips that can help improve everyone’s information security awareness and training, and help secure the human element.
Know your audience
This is a point that comes up in every talk, presentation, and conference in the IT and Cyber Security world, as it should. We are Security Professionals have our own way of seeing and understand the world in which we exist in and operate in. That means we have also developed what works best for us to communicate with fellow security practitioners. That language typically would not be appropriate or understood by non-security, non-technical people. Creating the language of your information security program is a great opportunity to step out of the security language and use the business language that will help your users understand the concepts you are trying to explain.
Understand whom you are presenting too. By the nature of an Information Security awareness program, you will be attempting to impart technical and security knowledge on individuals in your organization that role is not technical or security focused. Use non-technical terms to explain these concepts. It does everyone a dis-service to keep insisting that the user should use only secure protocols when using websites, when they don’t know what HTTP or HTTPS means, let alone the different. To help you can use non-technical analogies, which is our second helpful point.
Use non-technical analogies
Many of the abstract concepts that we as information security or IT professionals understand and take for granted, are not as obvious as we think they are. In fact, it has probably taken a good amount of time and energy to get to a level where terms like “reduce possible attack surface and deter malicious threat actors” makes sense. Keep in mind that your audience is not technical and try to use analogies to explain complex abstract concepts to them. Instead try explain that locking only the front door (main firewall) does little to keep their house secure if all the windows and back doors are left unlocked and open (host firewalls, or application/services and ports).
Understand that these analogies will become the foundation for their understanding of these technologies. Be sure to choose appropriate analogies, and to avoid future troubles, be clear about where some analogies fail to translate the Cyber concepts to Physical concepts.
Focus on the fundamentals, as tech will change.
Technology moves fast. Cyber security moves faster. It is enough of a challenge for security professionals to keep up with what is new on the cyber landscape. For your non-technical audience, also it’s just not fair to expect them to keep up. So instead of talking about Poodle and Heartbleed and why they should not only check to see if they are using HTTPS but also TLS 1.2 (as opposed to SSL 3.0), keep your training focus on the fundamentals of data protection in transit. Talk about why using encryption on an un-trusted network (the Internet), is a good idea. Then you can augment your training by providing additional information in handout, additional hosted reading material, or conversations with that one very enthusiastic user that says, they know everything about their computer because they game at home, in the hallway.
Staying focused on the fundamentals of technology and cyber security will help your audience to better understand the concepts, how the physical world analogies relate, and how the emergence of new technology fits into current security practices. Understanding the fundamentals will also help them understand how current enterprise controls provide information security assurance, and how any changes to those controls or use case involving those controls can affect enterprise security.
By providing the enterprise user the knowledge they need to perform their jobs securely, and communicating it is a way that it sticks, we all will be able to secure our information, and hopefully not have to go through experiences like Wyndham or T-Mobile and Experian.