Ahead of the information security training event SANS London 2015, the training body SANS will be running the recently updated MGT433 Building a High-Impact Awareness Campaign class on November 14 and 15.
The course will be taught by course author Lance Spitzner. Over a 15 year career, Spitzner has worked on cyber threat research and security training and awareness with the NSA, FIRST, the Pentagon, the FBI Academy, the President’s Telecommunications Advisory Committee, MS-ISAC, the Navy War College, the British official CESG, the Department of Justice, and the Monetary Authority of Singapore and invented and developed the concept of honeynets as well as authoring several books and over 30 security whitepapers.
In his view, based on the available evidence, it is extremely likely that every large organisation will experience an information security breach at some time. Spitzner says: “People are often an organisation’s greatest weakness. However this is not their fault, but the failure of the organisation. Through a high-impact awareness program, organisations can radically change that.”
The threat is increasing, he says, with the rise of more interconnected networks and new trends such as cloud, teleworking and mobile devices distributing sensitive digital data to more locations. According to the influential Data Breach Investigation Report (DBIR) which has examined over 100,000 security breaches over the last decade, 81pc of the incidents can be described by four root causes namely miscellaneous errors (27 per cent), insider misuse (19pc), crimeware (19pc) and physical theft/loss (16pc).
According to Spitzner: “The biggest factor of ‘miscellaneous errors’ are simply any mistake that compromises security. The main threat comes from human error, such as accidentally posting private data to a public site, sending information to the wrong recipients, or failing to dispose of documents or assets securely. However, lack of security awareness also has a part to play in insider misuse, physical theft and lost incidents.”
In his view, organisations have had security awareness programmes, but these were compliance driven, designed by auditors to ensure their organisation could ‘check the box’. “These programmes consisted of nothing more than a once year Power Point presentation or some very basic Computer Based Training (CBT). While this approach ensured compliance, they were not effective at changing behaviours.”
Yet he believes that the past several years have witnessed a fundamental shift in how organisations have begun approaching awareness and training. “They are building mature security awareness programs that identify and change high-risk human behaviours. After working with and helping literally hundreds of organisations around the world build security awareness programs, we wanted to share with others what we have seen work and what does not work.”
The two-day course teaches the key concepts and skills needed to build, maintain and measure such a programme. Spitzner also points out that the course is structured to meet the soft skills needed for effective program development and delivery: “Often security awareness programs are run by highly technical people such as security analysts or IT administrators. While these individuals understand security, they lack the skills or training to effectively communicate to a large group of people. They also tend to view security problems from only a technical perspective. Security awareness programs instead should be run by people with communications, marketing or learning backgrounds. We need people that can effectively reach and engage others.”
SANS London 2015 runs at London’s Grand Connaught Rooms in the West End; 14 courses spanning four core disciplines. Visit https://www.sans.org/event/london-2015.
