Of Black Hat and security awareness

The annual security conference was a chance to go deep. But back in the office, how do you get 100% of the company’s employees to complete the security awareness training?

In the past few weeks, I was able to go deep into security issues (this was during my yearly pilgrimage to the Black Hat security conference in Las Vegas), and then concentrate on the basics (by getting our employees to fulfill our security awareness requirements). Both were highly satisfying.

Black Hat came first. If you’re able to attend just a couple of conferences per year, I highly recommend RSA and Black Hat to all security professionals, regardless of level. They’re conveniently spaced about six months apart, making it easier to get your boss’s approval.

Action Plan: Use a carrot, not a stick, and then sic HR on the last non-complying employees.

Black Hat is a combination of in-depth, mostly hands-on training and briefings that tend to be presentations on various security topics, typically with a focus on security weaknesses. I am interested in briefings in which the presenters demonstrate a successful hack or compromise of something very interesting or familiar. This year’s quintessential Black Hat presentation demonstrated the ability to remotely control connected-car functions. It’s the sort of thing that really sets Black Hat apart.

Of course, Black Hat also has the obligatory expo floor, and I enjoyed the opportunity to obtain demos from technology vendors that I currently use or am considering. It’s much easier to ask pressing questions in a venue like this than to schedule individual meetings and then sit through a bunch of marketing slides before getting to the real substance. One stop on the floor was at Palo Alto Networks. We’ve recently deployed that company’s advanced firewall, and I had some questions about the new interface in the latest version. Also, I’m currently in the market for a new SIEM tool, and there were plenty of vendors to meet with. I was able to knock out four in-depth product demos in less than three hours! And of course, Black Hat wouldn’t be much fun without some cool parties and networking events, and what better place for that sort of thing than Las Vegas?

Prior to departing for Black Hat, I had set up our yearly security awareness training for employees and contractors. We purchased subscriptions to two of the SANS Institute’s Secure the Human training programs, one for end users and one for developers. I like these SANS programs. They’re easy to deploy; they do a good job of keeping track of the users who have completed the training; the material is of a high quality, with both breadth and depth of security information; and the material is frequently updated, which is important given the fast pace of change in security and technology. I also like the brevity of the training, which is more about substance than storytelling, so our employees can cover more ground in less time.

There was just one problem. Employees weren’t completing the training. After two weeks, only 40% of employees had completed it, and most hadn’t even started. Our CEO had already sent out a message emphasizing the importance of the training and the requirement that all employees complete the training within 30 days.

I didn’t want to do anything that would make me come across as the mean security guy. Instead of escalating the matter to other managers or sending out nasty messages, I got my boss to allow me to expense several hundred dollars’ worth of Starbucks gift cards. I then sent a message stating that I would be giving out gift cards to 20 random employees who completed the training by the end of the third week. And I’ll be damned! Being the nice security guy works sometimes. The completion rate hit 90%. Of the non-compliers, many were out, either on vacation or taking some other valid leave.

For the remaining employees that were in the office, I had one of our new HR representatives reach out to encourage them to complete the training. She employed guilt, explaining that if we didn’t obtain 100% completion, we would not be PCI-compliant, which we need to be in order to grow. Guilt worked too. Within 30 days, all eligible employees had completed the training. And since I had forced all employees to read and attest to their understanding of our security policy and code of conduct prior to completing the course, I knocked out another PCI requirement.

I’ll continue to use the SANS training sporadically throughout the year as needed to emphasize security risks. For example, if there is a sudden surge in phishing attacks, I will require all employees to complete a single module related to email security. That’s what’s nice about having a learning management platform and an easy means to deliver and track training for a large number of employees.

Join the CSO newsletter!

Error: Please check your email address.

More about Palo Alto NetworksRSASANS InstituteStarbucks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place