At the recent RSA security conference in San Francisco, there seem to be a rift forming between security professionals as to the effectiveness of Security Awareness Training. As we all know this is a mandated activity, but many are questioning the actual effectiveness to actually improve security. I believe the concerns are partially valid as companies with even the best programs, are being breached by attackers through phishing schemes and email Trojans activated by “trained and aware” employees.
In light of the breaches, I don’t think it is fair to condemn awareness training. I believe we need to look more closely at how we train employees and look for ways to better elevate and maintain awareness throughout the year. Annual training has a half-life that I do not believe lasts the whole year, but quickly diminishes soon after training. Additionally, security training can be boring and cause many a glazed eyes shortly into the session. Retention from these sessions is often very short lived.
I believe effective awareness training can be a deterrent to behaviors that put systems at risk if it is continual rather than once a year. What needs to be developed is a culture of security which is hard to achieve with just an annual refresher. MRIoA strives to create this culture. This year, MRIoA will be looking for innovative ways to continue to foster a secure environment that can be delivered in smaller doses. To the point, just the fact that you have read this, has elevated your awareness today.
Don Murphy, MS, CISSP, Vice President, Information Technology