Today we have a guest editorial from Andy Warren as Steve is at SQL Bits. This was originally published on Aug 21, 2015.
I just recently finished the annual ritual of required training for security awareness and compliance topics. If you work for a publicly held company, especially one that has PCI, SOX, or HIPAA data, you’ve probably done this, too. It’s a coffee drinking chore for me and that had me thinking – does it do any good or is it just checking the box for the organization?
The training covered a variety of topics: phishing, not sharing passwords, clean desk policy, ethics, travel, use of VPN, and more. This time it was a slide type presentation for each topic along with narrated audio, followed by a short quiz at the end of each topic. Most were mercifully short. In the early years it seemed like every topic was twenty minutes! Some of there were of the ‘check the box’ type, asking if you had read and understood various policies, while some were two pages long and one was closer to 100 pages. Does anyone (besides me) actually read a 100 page policy? Do we really expect them to? If we don’t, then what are we doing?
Businesses are trying to minimize the non-productive and/or non-billable time while trying to meet compliance requirements and provide useful training. Most do it by outsourcing the training, with a provider customizing it to some degree (links to local policy documents mainly). The end result winds up being a cookie cutter solution that satisfies the auditors and does some good, just not as much as if it really reflected the environment the employee works in, with the biggest internal problems of the previous year called out. This process also assumes that all training needs to be done every year, instead of making a bigger investment up front to make sure the employee really understands all the policies and processes and then using the annual training as a refresher.
We can do all the training in the world and still have someone click on a phishing link or let someone tailgate through a door or accidentally send out a list that contains sensitive data. It happens all the time. Does that mean the training is ineffective? That’s worth thinking about for a minute.
We can argue that the training reduces the frequency of issues because the users are educated about the threats. Or, we can argue that allowing for any failure is unacceptable and we must prevent those via a managed solution in the background. We could argue that the training isn’t good enough if mistakes are still made – true to a point maybe, but we’ll never get to 100%.
Imagine you own a company and you’re required to provide this training in some form. You get to decide:
- Everyone signs an electronic form once a year saying they’ve reviewed all the policies and agree to comply with them.
- Everyone does two to five hours of review followed by an acknowledgement and/or quiz
- Everyone does two full days of refresher training along with multiple tests
You can probably think of some other options, but it all comes back to being required to do something. Minimizing cost may increase the risk. Minimizing risk will probably increase the cost. It seems like the logical thing to do is focus on the areas that matter most and figure out how to address those topics most effectively.
I still groan when I see the email saying it’s that time again, but I’ve learned to accept it as the most reasonable way to meet the requirements.