Security Training and Awareness - Creating a Culture of Security

What is the difference between IT Security Training and Security Awareness?

By planning for and providing for both Security Training and ongoing Security Awareness campaigns, your whole organization will benefit.

Flickr: Stfaiths Road safety training 009

Security Training

You already know that Information Technology (IT) security training is an essential part of an enterprise security program. It provides targeted instruction on your company’s security policies, procedures, and techniques and focuses on developing skills such as secure coding or using a security tool. Also, you can measure what your participants have learned. Was the training effective? Have the participants learned the material? Can they can understand and apply the new ideas?

Conducted by knowledgeable instructors, effective training programs go beyond asking participants to read a document and attest to understanding and agreeing to comply. Some examples of security training include:

• Annual Security Training explaining the acceptable use policy and information security policy with all employees,
• Data Protection Training to understand requirements for the protection of Personal Health Information (PHI) or credit card information,
• Secure Development training for developers to learn secure coding practices, and
• Contact Center Security training to prepare staff to detect and respond when they are a target of social engineering.

Security Awareness

Security awareness, on the other hand, is more about reinforcing general security principles, and drawing attention to a particular issue so that they can respond accordingly. You can foster this culture of awareness through reminder messages that benefit the organization as a whole. Awareness campaigns complement training by reinforcing the company's policies, procedures, and practices covered in your targeted security training. Just as you remind young people to look both ways before crossing the street, these campaigns remind your colleagues to keep security threats front-of-mind, and to be aware of new and emerging threats.  

In contrast to training programs, security awareness campaigns may be less formal in their delivery, and generally do not require you to collect evidence or evaluate the participants. According to NIST SP 800-50 “The most significant difference between training and awareness is that training seeks to teach skills, which allow a person to perform a specific function, while awareness seeks to focus an individual’s attention on an issue or set of issues.”

Some examples of issues that you can highlight in your security awareness program are:

• How to choose good passwords, and how to keep them secure
• Piggy-backing, challenging those who do not use the door card readers
• How to prevent computer viruses, and what to do if you are infected
• Recognizing phishing emails, and remember to click only trustworthy links

By combining Security Training with an ongoing Security Awareness program, you will help to create a culture of security and promote vigilance. In short, your organization will be better prepared to address the security of information and technology assets.  

The protection of information and technology assets is as much a human issue as an IT issue. Take a moment to think about your own Security Training and Awareness programs. What formal training do you provide? Do you have a program of ongoing Security Awareness? What can you do to better to create a culture of security?

If you enjoyed this article, please “follow me”. Stay tuned to my next segment where I will discuss some of the business drivers for Security Training and Security Awareness. Have anything else to add? Please post them in the comments below.

Ann-Marie Westgate is a Sr. Information Security Consultant with Digital Logic Solutions Inc. http://dlogic.ca

@AM_Westgate, LinkedIn: https://ca.linkedin.com/in/amwestgate

Further reading:

NIST SP 800-50, Building an Information Technology Security Awareness and Training Program http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf