SlideShare une entreprise Scribd logo

Practical Advantages of a Security Educated Workforce

Télécharger en tant que PPTX, PDF
K
Keyaan Williams

Don't allow compliance-driven security awareness training stop you from educating your workforce and producing meaningful results with education, training, and awareness.

Technologie
1  sur  48
Adventures in Security Awareness: Practical Advantages of an Educated Workforce
Speaker Biography • 15+ years fighting the InfoSec leadership battle • knows a few things about information security governance and what it takes to build a successful security program • helps other security leaders build successful governance, risk management, and compliance (GRC) programs • Also helps start-ups, small businesses, non-profits, and university enterprises produce big business success Keyaan Williams www.linkedin.com/in/keyaan @KeyaanWilliams Adventures in Security Awareness: Practical Advantages of an Educated Workforce 2
Forcing users to complete annual security training to check boxes rubbish! There are better ways to use education, training, and awareness to improve security. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 3
Outline Definitions The Compliance-Driven Approach The Compliance-Driven Problem A Culture-Driven Alternative Every Security Person Can Contribute Summary and Q&A Adventures in Security Awareness: Practical Advantages of an Educated Workforce 4
Definitions Understanding the words we are using will help drive the point home. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 5
Adjective: of or concerned with the actual doing or use of something rather than with theory and ideas Practical Adventures in Security Awareness: Practical Advantages of an Educated Workforce 6
Education focuses on transferring knowledge or information via communication tools that produce long-term retention. Education Adventures in Security Awareness: Practical Advantages of an Educated Workforce 7
Training focuses on activities, coaching, and feedback that develop new skills or new knowledge that students can apply to their work. Training Adventures in Security Awareness: Practical Advantages of an Educated Workforce 8
Awareness focuses on the increased perception of facts or information. Awareness Adventures in Security Awareness: Practical Advantages of an Educated Workforce 9
The Compliance-Driven Approach to “Security Awareness Training” The regulators made me do it! Adventures in Security Awareness: Practical Advantages of an Educated Workforce 10
What normally happens Compliance defines the approach rather than tailoring something unique for the organization. Education, training, and awareness are consolidated into one big blob that is a single objective/activity. Education, training, and awareness are not distinct activities with specific, individual purposes. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 11
The Compliance Perspective “The organization will be more secure because you gave users security training and you confirmed that everyone participated at least annually.” Adventures in Security Awareness: Practical Advantages of an Educated Workforce 12
ISO 27001 and 27002 “All employees of the organization and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.” Adventures in Security Awareness: Practical Advantages of an Educated Workforce 13
NIST 800-53, AT-2 “The organization provides basic security awareness training to information system users.” Adventures in Security Awareness: Practical Advantages of an Educated Workforce 14
PCI-DSS “Implement a formal security awareness program to make all personnel aware of the cardholder data security policy.” Adventures in Security Awareness: Practical Advantages of an Educated Workforce 15
PCI DSS v3.2 Testing procedures (12.6.1 and 12.6.2) • Verify people attend training when hired and at least annually. • Obtain acknowledgement that people have read and understand the security policy. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 16
The Compliance-Driven Problem Compliance provides a budget, but it doesn’t tell me how to be effective. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 17
The compliance problem Compliance incentivizes a generic approach that rarely changes behavior or has a meaningful impact. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 18
The compliance problem Compliance requires no validation that users can apply what they learned to their work. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 19
The compliance problem Compliance measures how many, but not how effective. Does theory produce practical results? Adventures in Security Awareness: Practical Advantages of an Educated Workforce 20
• Content has nothing to do with the organization or its current threats • It is optional or some people are forgotten • It only focuses on phishing and makes people afraid to check their e-mail • It produces no change in user-generated security events The Worst Case Adventures in Security Awareness: Practical Advantages of an Educated Workforce 21
A Culture-Driven Alternative What can we do to make this work for everyone? Adventures in Security Awareness: Practical Advantages of an Educated Workforce 22
What does culture have to do with anything? Sociology 101 - Culture is the sum of attitudes, customs, and beliefs that distinguishes one group of people from another. This should drive the content of education, training, and awareness at an organization. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 23
Security Theory and Culture Collide Incorporating security theory from education, training, and awareness into the culture of the organization can practically make the organization more secure. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 24
This is about changing (or strengthening) security culture Emphasize what is important. Reward behaviors that reflect what is important. Discourage behaviors that do not reflect what is important. Model the behaviors that you want to see in the workplace. C. McNamara, "Organizational Culture," Authenticity Consulting, LLC, 2000. [Online]. Available: http://managementhelp.org/organizations/culture.htm#influence. [Accessed June 2016] Adventures in Security Awareness: Practical Advantages of an Educated Workforce 25
What is important? •Assets and how we protect them. •Data and how we protect it. •People and how we protect them. •Stakeholders and how we protect their interests. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 26
What is good behavior? •Follow policies, procedures, and standards. •Report anomalies and strange events: “see something; say something.” •Conduct activities ethically. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 27
How do we discourage bad behavior? •Frown at nonconformists; peer pressure is effective. •Formalize recourse in policies and standards (i.e. HR and performance reviews) Adventures in Security Awareness: Practical Advantages of an Educated Workforce 28
How do we reward good behavior? Money Recognition Adventures in Security Awareness: Practical Advantages of an Educated Workforce 29
A Simple Culture Case Study The simplicity of cause, effect, and human behavior. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 30
Rewarding good behavior influences the workforce. Most people want the reward. I want recognition that produces a reward I inform security operations about suspicious e-mail They recognize me or give me money Adventures in Security Awareness: Practical Advantages of an Educated Workforce 31
Every Security Person Can Contribute I am not part of the security awareness team. What does it have to do with me? Adventures in Security Awareness: Practical Advantages of an Educated Workforce 32
Every Security Person Can Contribute You don’t have to be a CISO, Director, or Security Leader to contribute to the practical security education of your organization. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 33
Every Security Person Can Contribute Practitioners have a great opportunity to communicate relevant information and influencing behavior as part of their interactions with people. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 34
Every Security Person Can Contribute You are a professional; you know a lot! Share that information with everyone you encounter. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 35
Every Security Person Can Contribute Tailor content based on the audience. Tell executives, managers, IT personnel, and non-IT end users the same story, but package the story differently based on the risk each group faces. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 36
Every Security Person Can Contribute Discretely retrain compromised users. You don’t have to embarrass people to get them to change. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 37
Every Security Person Can Contribute Bedside manner is important! Don’t be a donkey about it. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 38
Case Study 2 Combining incident response and user re-education to improve security. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 39
Combining security awareness and incident response to improve security User causes event CSIRT activated Root cause analysis Results shared with user Anonymized results shared with workforce # similar events decreases Adventures in Security Awareness: Practical Advantages of an Educated Workforce 40 This actually happened!
“Oh my! I downloaded a malicious file from a suspicious e-mail.” User causes event Adventures in Security Awareness: Practical Advantages of an Educated Workforce 41
Case Study Enterprise controls detect the IOC and the Computer Security Incident Response Team (CSIRT) is activated to provide remediation. CSIRT activated Adventures in Security Awareness: Practical Advantages of an Educated Workforce 42
Case Study The CSIRT conducts root cause analysis to identify the malicious software’s impact and method of installation. Root cause analysis Adventures in Security Awareness: Practical Advantages of an Educated Workforce 43
Case Study Findings from the root cause analysis are shared with the user. •The user understands his or her part in the activity. •This understanding prevents a repeat offense. Results shared with user Adventures in Security Awareness: Practical Advantages of an Educated Workforce 44
Case Study Results are anonymized to protect the image of the affected user and shared with the workforce. •The affected user is not embarrassed. Anonymized results shared with workforce Adventures in Security Awareness: Practical Advantages of an Educated Workforce 45
Case Study • Everyone learns from a single mistake. • Other users are less likely to repeat the actions. • A culture of respect increases the likelihood that users will report anomalous events. # similar events decreases Adventures in Security Awareness: Practical Advantages of an Educated Workforce 46
Summary What should I remember from this conversation? Adventures in Security Awareness: Practical Advantages of an Educated Workforce 47
Compliance requires security awareness training, but a compliance-driven approach is the wrong approach.1 Effective education, training, and awareness can reduce the risk introduced by users2 Effective training is tailored, interactive, and meaningful.3 Awareness is important to reinforce ideas.4 All security personnel can contribute to education, training, and awareness in an organization.5 Adventures in Security Awareness: Practical Advantages of an Educated Workforce 48

Recommandé

Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT IssueEvan Francen
 
IT Security & Governance Template
IT Security & Governance TemplateIT Security & Governance Template
IT Security & Governance TemplateFlevy.com Best Practices
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionTripwire
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...EC-Council
 
Influential Business Leaders in Security services | CIO Look
Influential Business Leaders in Security services | CIO LookInfluential Business Leaders in Security services | CIO Look
Influential Business Leaders in Security services | CIO LookCIO Look Magazine
 
Dynamic Defense
Dynamic DefenseDynamic Defense
Dynamic DefenseBooz Allen Hamilton
 
A Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceA Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceSymantec
 

Recommandé

Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT IssueEvan Francen
 
IT Security & Governance Template
IT Security & Governance TemplateIT Security & Governance Template
IT Security & Governance TemplateFlevy.com Best Practices
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionTripwire
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...EC-Council
 
Influential Business Leaders in Security services | CIO Look
Influential Business Leaders in Security services | CIO LookInfluential Business Leaders in Security services | CIO Look
Influential Business Leaders in Security services | CIO LookCIO Look Magazine
 
Dynamic Defense
Dynamic DefenseDynamic Defense
Dynamic DefenseBooz Allen Hamilton
 
A Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceA Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceSymantec
 
Security Leaders: Manage the Forest, Not the Trees
Security Leaders: Manage the Forest, Not the TreesSecurity Leaders: Manage the Forest, Not the Trees
Security Leaders: Manage the Forest, Not the TreesAdam Stone
 
Build and Information Security Strategy
Build and Information Security StrategyBuild and Information Security Strategy
Build and Information Security StrategyInfo-Tech Research Group
 
Emergency Planning for Critical Infrastructure 2015
Emergency Planning for Critical Infrastructure 2015Emergency Planning for Critical Infrastructure 2015
Emergency Planning for Critical Infrastructure 2015Joel Keitner
 
Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Maurice Dawson
 
SMi Group's Oil and Gas Cyber Security North America
SMi Group's Oil and Gas Cyber Security North AmericaSMi Group's Oil and Gas Cyber Security North America
SMi Group's Oil and Gas Cyber Security North AmericaDale Butler
 
SBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesSBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesEMC
 
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 DecXavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 DecLaura Tibbo
 
2017 InfraGard Atlanta Conference - Matthew Rosenquist
2017 InfraGard Atlanta Conference - Matthew Rosenquist2017 InfraGard Atlanta Conference - Matthew Rosenquist
2017 InfraGard Atlanta Conference - Matthew RosenquistMatthew Rosenquist
 
Helen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry CollaborationHelen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry Collaborationcentralohioissa
 
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Mighty Guides, Inc.
 
Executive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarExecutive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarFERMA
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts finalDaren Dunkel
 
Information Security & Manufacturing
Information Security & ManufacturingInformation Security & Manufacturing
Information Security & ManufacturingEvan Francen
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyMighty Guides, Inc.
 
REDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to ContainersREDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to Containersartseremis
 
Infosec russia cnemeth_v1.2.ppt
Infosec russia cnemeth_v1.2.pptInfosec russia cnemeth_v1.2.ppt
Infosec russia cnemeth_v1.2.pptChristophe Németh (CISSP / CISM)
 
IT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAE
IT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAEIT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAE
IT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAE360 BSI
 
The meaning of security in the 21st century
The meaning of security in the 21st centuryThe meaning of security in the 21st century
The meaning of security in the 21st centuryThe Economist Media Businesses
 
Apsg cm4020 - event
Apsg cm4020 - eventApsg cm4020 - event
Apsg cm4020 - eventSarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Mighty Guides, Inc.
 
Itsa end user 2013
Itsa end user 2013Itsa end user 2013
Itsa end user 2013salleh1n
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information SecurityKen Holmes
 

Contenu connexe

Tendances

Security Leaders: Manage the Forest, Not the Trees
Security Leaders: Manage the Forest, Not the TreesSecurity Leaders: Manage the Forest, Not the Trees
Security Leaders: Manage the Forest, Not the TreesAdam Stone
 
Emergency Planning for Critical Infrastructure 2015
Emergency Planning for Critical Infrastructure 2015Emergency Planning for Critical Infrastructure 2015
Emergency Planning for Critical Infrastructure 2015Joel Keitner
 
Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Maurice Dawson
 
SMi Group's Oil and Gas Cyber Security North America
SMi Group's Oil and Gas Cyber Security North AmericaSMi Group's Oil and Gas Cyber Security North America
SMi Group's Oil and Gas Cyber Security North AmericaDale Butler
 
SBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesSBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesEMC
 
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 DecXavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 DecLaura Tibbo
 
2017 InfraGard Atlanta Conference - Matthew Rosenquist
2017 InfraGard Atlanta Conference - Matthew Rosenquist2017 InfraGard Atlanta Conference - Matthew Rosenquist
2017 InfraGard Atlanta Conference - Matthew RosenquistMatthew Rosenquist
 
Helen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry CollaborationHelen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry Collaborationcentralohioissa
 
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Mighty Guides, Inc.
 
Executive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarExecutive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarFERMA
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts finalDaren Dunkel
 
Information Security & Manufacturing
Information Security & ManufacturingInformation Security & Manufacturing
Information Security & ManufacturingEvan Francen
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyMighty Guides, Inc.
 
REDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to ContainersREDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to Containersartseremis
 
IT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAE
IT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAEIT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAE
IT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAE360 BSI
 
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Mighty Guides, Inc.
 

Tendances (20)

Security Leaders: Manage the Forest, Not the Trees
Security Leaders: Manage the Forest, Not the TreesSecurity Leaders: Manage the Forest, Not the Trees
Security Leaders: Manage the Forest, Not the Trees
 
Build and Information Security Strategy
Build and Information Security StrategyBuild and Information Security Strategy
Build and Information Security Strategy
 
Emergency Planning for Critical Infrastructure 2015
Emergency Planning for Critical Infrastructure 2015Emergency Planning for Critical Infrastructure 2015
Emergency Planning for Critical Infrastructure 2015
 
Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)
 
SMi Group's Oil and Gas Cyber Security North America
SMi Group's Oil and Gas Cyber Security North AmericaSMi Group's Oil and Gas Cyber Security North America
SMi Group's Oil and Gas Cyber Security North America
 
SBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesSBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing Processes
 
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 DecXavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
 
2017 InfraGard Atlanta Conference - Matthew Rosenquist
2017 InfraGard Atlanta Conference - Matthew Rosenquist2017 InfraGard Atlanta Conference - Matthew Rosenquist
2017 InfraGard Atlanta Conference - Matthew Rosenquist
 
Helen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry CollaborationHelen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry Collaboration
 
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
 
Executive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarExecutive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk Webinar
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts final
 
Information Security & Manufacturing
Information Security & ManufacturingInformation Security & Manufacturing
Information Security & Manufacturing
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
 
REDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to ContainersREDUCING CYBER EXPOSURE From Cloud to Containers
REDUCING CYBER EXPOSURE From Cloud to Containers
 
Infosec russia cnemeth_v1.2.ppt
Infosec russia cnemeth_v1.2.pptInfosec russia cnemeth_v1.2.ppt
Infosec russia cnemeth_v1.2.ppt
 
IT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAE
IT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAEIT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAE
IT Security Architecture & Leadership, 24 - 27 November 2013 Dubai UAE
 
The meaning of security in the 21st century
The meaning of security in the 21st centuryThe meaning of security in the 21st century
The meaning of security in the 21st century
 
Apsg cm4020 - event
Apsg cm4020 - eventApsg cm4020 - event
Apsg cm4020 - event
 
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
 

En vedette

Itsa end user 2013
Itsa end user 2013Itsa end user 2013
Itsa end user 2013salleh1n
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information SecurityKen Holmes
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeAtlantic Training, LLC.
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
It security training
It security trainingIt security training
It security traininggethumamaravi
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 

En vedette (7)

Itsa end user 2013
Itsa end user 2013Itsa end user 2013
Itsa end user 2013
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information Security
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community College
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
It security training
It security trainingIt security training
It security training
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
 

Similaire à Practical Advantages of a Security Educated Workforce

Using Behavioral Science to Secure Your Organization
Using Behavioral Science to Secure Your OrganizationUsing Behavioral Science to Secure Your Organization
Using Behavioral Science to Secure Your OrganizationMasha Sedova
 
Strategies for cyber resilience - Everyone has a Role
Strategies for cyber resilience - Everyone has a RoleStrategies for cyber resilience - Everyone has a Role
Strategies for cyber resilience - Everyone has a RoleKevin Duffey
 
ISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security cultureISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security cultureCraig McGill
 
Cyber resilience itsm academy_april2015
Cyber resilience itsm academy_april2015Cyber resilience itsm academy_april2015
Cyber resilience itsm academy_april2015ITSM Academy, Inc.
 
Training for Results Webinar 2016
Training for Results Webinar 2016Training for Results Webinar 2016
Training for Results Webinar 2016KineoPacific
 
Fissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingFissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingSwati Gupta
 
IATA safety culture from the top down
IATA safety culture from the top downIATA safety culture from the top down
IATA safety culture from the top downDigitalPower
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
 
Social Media Policies, Procedures
 and Governance part 1: Employees
Social Media Policies, Procedures
 and Governance part 1: EmployeesSocial Media Policies, Procedures
 and Governance part 1: Employees
Social Media Policies, Procedures
 and Governance part 1: EmployeesNikComm Inc.
 
Risk management models - Core Consulting
Risk management models - Core ConsultingRisk management models - Core Consulting
Risk management models - Core ConsultingCORE Consulting
 
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptxTop_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptxinfosec train
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-levelDonald Tabone
 
Just Safety Master - Mark Dickson
Just Safety Master - Mark DicksonJust Safety Master - Mark Dickson
Just Safety Master - Mark DicksonDigitalPower
 
Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingKimberly Hood
 
How To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your CompanyHow To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your Companydanielblander
 
Advancing Your Cybersecurity Career
Advancing Your Cybersecurity CareerAdvancing Your Cybersecurity Career
Advancing Your Cybersecurity CareerKeyaan Williams
 
Organizational Security Culture : A New Business Paradigm by JMSupan 2019
Organizational Security Culture : A New Business Paradigm by JMSupan 2019Organizational Security Culture : A New Business Paradigm by JMSupan 2019
Organizational Security Culture : A New Business Paradigm by JMSupan 2019JOEL JESUS SUPAN
 
Nvq5 Health And Safety
Nvq5 Health And SafetyNvq5 Health And Safety
Nvq5 Health And SafetyBeth Hall
 

Similaire à Practical Advantages of a Security Educated Workforce (20)

Using Behavioral Science to Secure Your Organization
Using Behavioral Science to Secure Your OrganizationUsing Behavioral Science to Secure Your Organization
Using Behavioral Science to Secure Your Organization
 
Strategies for cyber resilience - Everyone has a Role
Strategies for cyber resilience - Everyone has a RoleStrategies for cyber resilience - Everyone has a Role
Strategies for cyber resilience - Everyone has a Role
 
ISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security cultureISACA talk - cybersecurity and security culture
ISACA talk - cybersecurity and security culture
 
Cyber resilience itsm academy_april2015
Cyber resilience itsm academy_april2015Cyber resilience itsm academy_april2015
Cyber resilience itsm academy_april2015
 
Training for Results Webinar 2016
Training for Results Webinar 2016Training for Results Webinar 2016
Training for Results Webinar 2016
 
Fissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingFissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-training
 
IATA safety culture from the top down
IATA safety culture from the top downIATA safety culture from the top down
IATA safety culture from the top down
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
 
Social Media Policies, Procedures
 and Governance part 1: Employees
Social Media Policies, Procedures
 and Governance part 1: EmployeesSocial Media Policies, Procedures
 and Governance part 1: Employees
Social Media Policies, Procedures
 and Governance part 1: Employees
 
Risk management models - Core Consulting
Risk management models - Core ConsultingRisk management models - Core Consulting
Risk management models - Core Consulting
 
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptxTop_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
 
Just Safety Master - Mark Dickson
Just Safety Master - Mark DicksonJust Safety Master - Mark Dickson
Just Safety Master - Mark Dickson
 
Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook Security
 
Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and Training
 
Safety culture
Safety cultureSafety culture
Safety culture
 
How To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your CompanyHow To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your Company
 
Advancing Your Cybersecurity Career
Advancing Your Cybersecurity CareerAdvancing Your Cybersecurity Career
Advancing Your Cybersecurity Career
 
Organizational Security Culture : A New Business Paradigm by JMSupan 2019
Organizational Security Culture : A New Business Paradigm by JMSupan 2019Organizational Security Culture : A New Business Paradigm by JMSupan 2019
Organizational Security Culture : A New Business Paradigm by JMSupan 2019
 
Nvq5 Health And Safety
Nvq5 Health And SafetyNvq5 Health And Safety
Nvq5 Health And Safety
 

Dernier

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Dernier (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

Practical Advantages of a Security Educated Workforce

  • 1. Adventures in Security Awareness: Practical Advantages of an Educated Workforce
  • 2. Speaker Biography • 15+ years fighting the InfoSec leadership battle • knows a few things about information security governance and what it takes to build a successful security program • helps other security leaders build successful governance, risk management, and compliance (GRC) programs • Also helps start-ups, small businesses, non-profits, and university enterprises produce big business success Keyaan Williams www.linkedin.com/in/keyaan @KeyaanWilliams Adventures in Security Awareness: Practical Advantages of an Educated Workforce 2
  • 3. Forcing users to complete annual security training to check boxes rubbish! There are better ways to use education, training, and awareness to improve security. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 3
  • 4. Outline Definitions The Compliance-Driven Approach The Compliance-Driven Problem A Culture-Driven Alternative Every Security Person Can Contribute Summary and Q&A Adventures in Security Awareness: Practical Advantages of an Educated Workforce 4
  • 5. Definitions Understanding the words we are using will help drive the point home. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 5
  • 6. Adjective: of or concerned with the actual doing or use of something rather than with theory and ideas Practical Adventures in Security Awareness: Practical Advantages of an Educated Workforce 6
  • 7. Education focuses on transferring knowledge or information via communication tools that produce long-term retention. Education Adventures in Security Awareness: Practical Advantages of an Educated Workforce 7
  • 8. Training focuses on activities, coaching, and feedback that develop new skills or new knowledge that students can apply to their work. Training Adventures in Security Awareness: Practical Advantages of an Educated Workforce 8
  • 9. Awareness focuses on the increased perception of facts or information. Awareness Adventures in Security Awareness: Practical Advantages of an Educated Workforce 9
  • 10. The Compliance-Driven Approach to “Security Awareness Training” The regulators made me do it! Adventures in Security Awareness: Practical Advantages of an Educated Workforce 10
  • 11. What normally happens Compliance defines the approach rather than tailoring something unique for the organization. Education, training, and awareness are consolidated into one big blob that is a single objective/activity. Education, training, and awareness are not distinct activities with specific, individual purposes. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 11
  • 12. The Compliance Perspective “The organization will be more secure because you gave users security training and you confirmed that everyone participated at least annually.” Adventures in Security Awareness: Practical Advantages of an Educated Workforce 12
  • 13. ISO 27001 and 27002 “All employees of the organization and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.” Adventures in Security Awareness: Practical Advantages of an Educated Workforce 13
  • 14. NIST 800-53, AT-2 “The organization provides basic security awareness training to information system users.” Adventures in Security Awareness: Practical Advantages of an Educated Workforce 14
  • 15. PCI-DSS “Implement a formal security awareness program to make all personnel aware of the cardholder data security policy.” Adventures in Security Awareness: Practical Advantages of an Educated Workforce 15
  • 16. PCI DSS v3.2 Testing procedures (12.6.1 and 12.6.2) • Verify people attend training when hired and at least annually. • Obtain acknowledgement that people have read and understand the security policy. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 16
  • 17. The Compliance-Driven Problem Compliance provides a budget, but it doesn’t tell me how to be effective. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 17
  • 18. The compliance problem Compliance incentivizes a generic approach that rarely changes behavior or has a meaningful impact. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 18
  • 19. The compliance problem Compliance requires no validation that users can apply what they learned to their work. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 19
  • 20. The compliance problem Compliance measures how many, but not how effective. Does theory produce practical results? Adventures in Security Awareness: Practical Advantages of an Educated Workforce 20
  • 21. • Content has nothing to do with the organization or its current threats • It is optional or some people are forgotten • It only focuses on phishing and makes people afraid to check their e-mail • It produces no change in user-generated security events The Worst Case Adventures in Security Awareness: Practical Advantages of an Educated Workforce 21
  • 22. A Culture-Driven Alternative What can we do to make this work for everyone? Adventures in Security Awareness: Practical Advantages of an Educated Workforce 22
  • 23. What does culture have to do with anything? Sociology 101 - Culture is the sum of attitudes, customs, and beliefs that distinguishes one group of people from another. This should drive the content of education, training, and awareness at an organization. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 23
  • 24. Security Theory and Culture Collide Incorporating security theory from education, training, and awareness into the culture of the organization can practically make the organization more secure. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 24
  • 25. This is about changing (or strengthening) security culture Emphasize what is important. Reward behaviors that reflect what is important. Discourage behaviors that do not reflect what is important. Model the behaviors that you want to see in the workplace. C. McNamara, "Organizational Culture," Authenticity Consulting, LLC, 2000. [Online]. Available: http://managementhelp.org/organizations/culture.htm#influence. [Accessed June 2016] Adventures in Security Awareness: Practical Advantages of an Educated Workforce 25
  • 26. What is important? •Assets and how we protect them. •Data and how we protect it. •People and how we protect them. •Stakeholders and how we protect their interests. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 26
  • 27. What is good behavior? •Follow policies, procedures, and standards. •Report anomalies and strange events: “see something; say something.” •Conduct activities ethically. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 27
  • 28. How do we discourage bad behavior? •Frown at nonconformists; peer pressure is effective. •Formalize recourse in policies and standards (i.e. HR and performance reviews) Adventures in Security Awareness: Practical Advantages of an Educated Workforce 28
  • 29. How do we reward good behavior? Money Recognition Adventures in Security Awareness: Practical Advantages of an Educated Workforce 29
  • 30. A Simple Culture Case Study The simplicity of cause, effect, and human behavior. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 30
  • 31. Rewarding good behavior influences the workforce. Most people want the reward. I want recognition that produces a reward I inform security operations about suspicious e-mail They recognize me or give me money Adventures in Security Awareness: Practical Advantages of an Educated Workforce 31
  • 32. Every Security Person Can Contribute I am not part of the security awareness team. What does it have to do with me? Adventures in Security Awareness: Practical Advantages of an Educated Workforce 32
  • 33. Every Security Person Can Contribute You don’t have to be a CISO, Director, or Security Leader to contribute to the practical security education of your organization. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 33
  • 34. Every Security Person Can Contribute Practitioners have a great opportunity to communicate relevant information and influencing behavior as part of their interactions with people. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 34
  • 35. Every Security Person Can Contribute You are a professional; you know a lot! Share that information with everyone you encounter. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 35
  • 36. Every Security Person Can Contribute Tailor content based on the audience. Tell executives, managers, IT personnel, and non-IT end users the same story, but package the story differently based on the risk each group faces. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 36
  • 37. Every Security Person Can Contribute Discretely retrain compromised users. You don’t have to embarrass people to get them to change. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 37
  • 38. Every Security Person Can Contribute Bedside manner is important! Don’t be a donkey about it. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 38
  • 39. Case Study 2 Combining incident response and user re-education to improve security. Adventures in Security Awareness: Practical Advantages of an Educated Workforce 39
  • 40. Combining security awareness and incident response to improve security User causes event CSIRT activated Root cause analysis Results shared with user Anonymized results shared with workforce # similar events decreases Adventures in Security Awareness: Practical Advantages of an Educated Workforce 40 This actually happened!
  • 41. “Oh my! I downloaded a malicious file from a suspicious e-mail.” User causes event Adventures in Security Awareness: Practical Advantages of an Educated Workforce 41
  • 42. Case Study Enterprise controls detect the IOC and the Computer Security Incident Response Team (CSIRT) is activated to provide remediation. CSIRT activated Adventures in Security Awareness: Practical Advantages of an Educated Workforce 42
  • 43. Case Study The CSIRT conducts root cause analysis to identify the malicious software’s impact and method of installation. Root cause analysis Adventures in Security Awareness: Practical Advantages of an Educated Workforce 43
  • 44. Case Study Findings from the root cause analysis are shared with the user. •The user understands his or her part in the activity. •This understanding prevents a repeat offense. Results shared with user Adventures in Security Awareness: Practical Advantages of an Educated Workforce 44
  • 45. Case Study Results are anonymized to protect the image of the affected user and shared with the workforce. •The affected user is not embarrassed. Anonymized results shared with workforce Adventures in Security Awareness: Practical Advantages of an Educated Workforce 45
  • 46. Case Study • Everyone learns from a single mistake. • Other users are less likely to repeat the actions. • A culture of respect increases the likelihood that users will report anomalous events. # similar events decreases Adventures in Security Awareness: Practical Advantages of an Educated Workforce 46
  • 47. Summary What should I remember from this conversation? Adventures in Security Awareness: Practical Advantages of an Educated Workforce 47
  • 48. Compliance requires security awareness training, but a compliance-driven approach is the wrong approach.1 Effective education, training, and awareness can reduce the risk introduced by users2 Effective training is tailored, interactive, and meaningful.3 Awareness is important to reinforce ideas.4 All security personnel can contribute to education, training, and awareness in an organization.5 Adventures in Security Awareness: Practical Advantages of an Educated Workforce 48

Notes de l'éditeur

  1. Awareness and Training (AT) family has 5 controls NIST SP 800-50 provides supplemental guidance for Building an IT Security Awareness Training Program