Keys to Better User Training

It is widely documented that users are the biggest vulnerability in our cybersecurity ecosystem.  Technical solutions and policy are all foundational and necessary, but a single careless user or a deliberate shadow IT practitioner can easily expose the business to serious threats.  As a result, companies are increasingly looking for effective methods to train their employees to mitigate against the user risk.  I see three keys to user training and all of these must be addressed from the executive leadership level.

First we need to make sure we have the right strategic business objective for the training.  Security professionals and curriculum developers are good at writing courses to cover everything from two factor authentication to proper use of file sharing services.  But, all of that training is going to fall on, at least semi-deaf ears, if you do not get employee buy-in on the importance of standards of behavior on the network.  Employees from the most junior level to the C-Suite must believe that information security is critical to the success of the company, that there will necessarily be tradeoffs between convenience and security and that they can connect the dots between their personal future with the company and adherence to security policies and standards.

One you convince employees that their future is tied to their behavior on the network, then you need to conduct effective training.  Once during onboarding, or even annually is not sufficient.  Plus, it cannot be the same old computer based slide show if you expect people to be engaged and get something out of it.  The threat changes daily and so does the technology in use by the company.  Short, frequent, relevant training that is designed to engage the users is the key to success.  Unfortunately, few training programs meet this criteria.

The second key to success is making sure there are processes in place to validate that the training worked.  All of us have been subject to mind numbing slide show presentations spiced up with cute memes and forced on us with deadlines right around the holiday break.  Training delivery clearly needs to be improved and we cannot stop there.  We have to test the validity of the training.  Phishing exercises, scans for unauthorized USB devices and automated logging of file sharing and selected web activity are all ways to see if the training is effective.  Additionally, we need regular incident response exercises that touch the whole company, not just IT and security.  And then we need to close the loop.  When we discover individual violations determine if it was a training problem and if so adjust the training.  From the exercise perspective, make sure we capture lessons learned, not just lessons “observed,” and make the appropriate adjustments to the playbooks.

The third key to better training is accountability.  In every company there are standards of behavior pertaining to key business processes.  Some are regulatory, others are safety related and many are just designed to ensure the business is protected and can grow.  In all of those areas, we ensure people are trained and qualified to do their jobs, and if they fall short we hold them accountable.  We need to treat information security the same way.  If we have trained you on the policies and taught you to use the technology, then you must be held accountable for doing your part.  Without accountability throughout the management chain, this all becomes a problem for the CIO and CISO, and they cannot close the user vulnerability gap alone.

Make sure employees internalize the strategic rationale for security training, ensure that you have a good program by training and verifying, and in the end, enforce a level of accountability that fits your company culture when it comes to information security.

A Director’s Guide to Cybersecurity “Certification”

Boards get it, they need to exercise the same level of oversight regarding cybersecurity as they do with financial statements.  The difference is there is a well-developed set of standards governing financial accounting with associated audits and examinations.  The standards are not as well defined for cyber security and it is important for directors to know exactly where their company stands in terms of adhering to an accepted framework and third-party certification and audit options.

In 2014 the National Institute of Standards and Technology (NIST) released the Framework for Improving Critical Infrastructure Cybersecurity.  The framework has come to be known as just “NIST” when used by some in the context of “Oh, yeah, our company is NIST compliant.”  And so starts a trail of confusion regarding certification, compliance and standards pertaining to cybersecurity.

The NIST Framework for Improving Critical Infrastructure Cybersecurity is an excellent resource for organizing, planning and implementing cybersecurity controls in any environment, not just in a critical infrastructure company.  For Directors, it is easy to grasp how the controls are organized around the five functions of Identify, Protect, Detect, Respond and Recover.   It has other features that allow companies to tailor their controls to enterprise risk appetite and resource constraints and to facilitate program management in the sense of “we are here now and we want to be there next year.”  All good, but Directors should understand there is no such thing as “NIST certified” or “NIST compliant” in relation to the framework.  The NIST framework is increasingly gaining adoption as the de facto “standard,” however there is no third party that can come in and certify a company as meeting the “NIST standard.”

The NIST framework is an excellent tool to prepare the company to achieve certification to an information security standard and a widely accepted international standard is the ISO 27001 certification.  Published by the International Organization for Standardization, ISO 27001 defines the management processes and structures that must be in place to reduce the risk of information compromise.   It also provides guidance on embedding the information security procedures within the larger risk management process of the company. ISO 27001 certifications are issued for three years and require periodic audits to ensure compliance.  It is important to note that the ISO 27001 certification just indicates that the company has satisfactorily designed and documented an Information Security Management System.  ISO 27001 certification does not capture how well the system works.  ISO certification must be accomplished by an accredited certifying body and costs range from ~$20K to over $300K depending on how much consulting support the company needs to prepare for the certification, the auditor selected and the complexity of the company’s information environment.

In 2011 the American Institute of CPAs issued its Service Organizational Control (SOC) reporting framework.  Within that framework, the SOC 2, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, is the examination relevant to cybersecurity.  The SOC 2 examination is essentially an outside audit that verifies controls are in place and they are functioning.  Depending on the nature of the business, the company should satisfy one or more of the five Trust Services Principles and Criteria of: Security, Availability, Processing Integrity, Confidentiality, and Privacy.  SOC 2 examinations can cover a point in time or cover a period of time.  If a company has a well-established information security program, one year is typical.  SOC 2 examinations must be conducted by an accredited auditor and cost from ~$30K and up depending on the auditor and the complexity of the examination.

Not every company requires an ISO 27001 certification and a SOC 2 examination.  But every company should be following the NIST or some other accepted framework to derive their cybersecurity strategy.  While there is no defined “standard,” a company that relies on the NIST framework to prepare for and achieve ISO 27001 certification, and then engages an auditor to conduct a SOC 2 examination to prove that the controls are in place and functioning is on pretty solid ground for proving they have taken “reasonable measures” to protect critical information.

Directors who understand the difference between frameworks and certifications and can ask informed questions about why the company does or does not conduct an outside audit are in good standing when it comes to executing their oversight responsibilities regarding cyber risk.