Security Manager's Journal: Security training on the cheap

With no budget, our manager has to devise a security awareness and training program on his own

This month, I've been putting together a security awareness and training program. It's been an opportunity to exercise my creative side (which admittedly is pretty weak). The challenge, of course, is the same as always (you're probably way ahead of me) -- I have no budget.

So like many other things that I've done in this job, I'm doing it myself. The difference this time is that I'm not building technology systems, which I'm comfortable with -- I'm putting together communications and training materials. That requires a different set of skills. Fortunately, I'm already comfortable with writing; these columns have given me a great opportunity to practice my written communication skills. But writing is only part of a comprehensive awareness and training strategy. Just sending out emails and posting information on a website isn't going to be enough to reach everybody.

The National Institute of Standards and Technology (NIST) has published a document, numbered SP800-50, that specifies some best practices for security awareness and training. Though it's oriented toward U.S. government agencies, it's a good starting point for determining what should go into a >security training and awareness program for any organization. It has some good guidance for people like me who aren't training professionals but need to teach people good security practices and show them how to follow security policies.

You can download SP800-50 for free, so I won't go into detail about what's in it. I'll just say that the focus is on reinforcing desired security behaviors and teaching security skills to the users. The NIST recommends various techniques to get the message across, most of which you've probably seen before. I'm putting together a Web-based training program to get across my key messages and show people how to properly apply our security policies. Putting up posters and sending out email newsletters are things I've already done, because they're free. These will supplement and reinforce the messages in my training. Giveaways and fancy video presentations are out of my range, since I don't have any budget. I'm also considering in-person meetings, such as joining department staff meetings to give a quick security presentation and dropping in on new-hire orientations. I'd rather have some slick materials to give out, but I'm making do with what I can produce myself. It seems there's a lot I can do to improve security awareness without spending money.

Document classification (Public, Internal or Confidential) is one of the core concepts I'm communicating with the training and awareness materials. Last month, I wrote about my new document protection technology project. It's going well so far. I found a consulting firm that can do the work and talked to some other companies that have implemented the technology. Now the key is to get my company's users to properly classify their documents. The technology will take care of the protection if the documents are classified according to their confidentiality.

Getting users to think about confidentiality and become aware of document classifications is my goal. The document authors and the departments that own the documents are in the best position to determine their confidentiality, so I'm relying on them. And the security training and awareness materials are my first step toward ingraining that thinking into the corporate culture. I don't expect change to happen overnight, but I am optimistic that I can dial up our security with the right messaging and reinforcement.

This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at

Join in

To join in the discussions about security, go to

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by J.F. Rice

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts