August 20, 2015 at 8:12 pm
Comments posted to this topic are about the item Annual Security Compliance Training
August 21, 2015 at 2:29 am
I'm pretty sure it's always a groan. I don't want to appear arrogant but such security training seems to be very least common denominator. I'm not a particularly fast learner for real topics, I tend to be slow and try and take time to understand things well, but the pace of the material is hand gnawingly slow - it's like watching elderly non-computer folks browsing, sort of quarter speed slow motion. Everyone I am used to working with is pretty switched on and I don't think I would know anyone who would spend anything more than the absolute minimum time on any statutory requirements. Tick the box if possible and move on.
Not to say we don't spend time - lots of it - considering security.
August 21, 2015 at 7:03 am
The "training" is ridiculous for some of us. There needs to be two versions... one for people that don't work with security every day and a MUCH shorter version for those that do. Think "refresher/new requirements" for those that do rather than the "Ok... you're an idiot and know nothing about security" version.
--Jeff Moden
Change is inevitable... Change for the better is not.
August 21, 2015 at 7:06 am
Many people look at this annual security training as a checkbox to be filled. I belong to a developers guild in Charlotte. In 2002, I did a security presentation on web security. I knew I needed to get their attention so I got permission from the guild president to hack the guild web server. I was able to root the box in less than five minutes. The fact that I could demonstrate that really got their attention. The group went from sleepy to attentive very quickly. On another occasion the guild brought in a white hat hacker to discuss sql injection as a security vulnerability. The group was attentive there too.
If companies want to provide security training it might be wise to bring in white hat hackers to evaluate the security posture of the organization and then brief the company associates of the results. How attentive would the audience be if a hacker was able to demonstrate how easy it is to use social engineering to get access to a system. Or perhaps, break into the company website. The easiest way to demonstrate phishing is to spoof "Its time to change your password" email with a link to an external website that captures your current password and user name and has you re-identify your security questions. I think you get the picture.
Companies need to re-think the nature of the security problem and understand that demonstrations of actual vulnerabilities work far better than a briefing or static training.
August 21, 2015 at 7:11 am
I agree with THAT kind of training. THAT would be very useful. Since I'm a DBA, I'm considered to fall into 5 different training tracks for my company and they require me to view all the videos from start to finish and take multiple tests. Not one of them mentions SQL Injection or anything close to that. Things like how to avoid being "phished" seems more important to corporate.
--Jeff Moden
Change is inevitable... Change for the better is not.
August 21, 2015 at 7:25 am
Unfortunately 99 times out of 100 these are just dog and pony shows meant to look like you're doing something when you're just sighing heavily *along with the auditors* and patting C-levels on the head, assuring them everything's sugar and rainbows.
Security (as desired by C-levels and consumers) is a fantasy. It's not possible. Attack surfaces are WAY too large, best practices are a black art that works *some* of the time, a little, but not really.
The reality is it only takes one hole to sink a ship, defenders have to be perfect to protect their companies, and they lack control of the very things that they need to (such as source code for third party products) that even if they did have they couldn't understand or fix.
Security is simply an NP-C problem, basically insoluable. It's time to admit that and get genuine solutions instead of the current feel-good non-solution hoops idiots make us jump through now.
What genuine solutions? Ah, now *that* is the right question...
August 21, 2015 at 8:04 am
I'm required to go through security training and take (and pass) a test every year. It isn't anything new and pretty basic stuff, considering what I do every day. I love Jeff's idea of different versions of training, depending on what you do on a daily basis. The hacker demonstrations idea is awesome - it might get the attention of those people who are there to "tick the box" and not much else.
Those of us who work with security every day don't really need the pedantic ramblings about emailing PII, but I'm now fighting the urge to get on my soap box. The basics are just that - basics. Enough said.
August 21, 2015 at 8:17 am
An hour long pre-recorded video covering generic IT security topics, something the employees watch alone from their desk during a lunch break, probably doesn't count for much, if they've seen a few times over the years, but I think it's still relevent for the new guys and also for compliance purposes. Based on news reports, apparently there are developers and database admins at major corporations who are making basic level mistakes.
Security and best practices are topics that too easily get pushed into the background when folks are too focussed on deliverables or day to day operations. What would also be helpful are occasional deep dive training videos tailored to each employee's specific role. For example the database team can watch their training together as a group followed by an open discussion and then note taking about possible refactoring and fixes while it's forefront in everyone's mind.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
August 21, 2015 at 8:24 am
/shrug it's a compliance issues, it's not supposed to be useful and the vast majority of it can be summarized as use common sense.
We have to go through a bunch of slide shows then take a test on various subjects, the time efficient method is to just fast forward through the slide shows once take the test see the answers then pass it on the second try..... Oddly enough very similar to how I passed the written test for my drivers license.
August 21, 2015 at 9:12 am
I’ve learned to accept it as the most reasonable way to meet the requirements.
That is the issue. Instead of trying to improve performance and adherence, we try to meet requirements that don't change anything. If we really want people to follow guidelines, we need to find a method that encourages compliance. Viewing a lesson when people can't find time to do their required work, is not going to produce results. Leadership needs to impress upon managers that they EXPECT productivity to take a hit while everyone does their lessons. Then everyone needs to suck it up and accept that workers won't actually get everything done this week.
Oh wait, I keep forgetting reality.
Reality - Company wants to implement a new software package that will handle payroll, HR, procurement, AP, AR and GL. Vendor tells company it will require 30 full time employees who are experts in the subject matter, for a duration of 9 months. Company assigns 4 people, and those people still have to do their normal work. Those 4 employees end up putting in less than 20 hours each per person due to their other work. 18 months later someone is fired because the project didn't go live on time, and the scope was cut to just GL. Management declares it a success and grants bonuses to the project champion and CEO now that they have exactly what they really wanted, and because they went live early when compared to the new go live date they set a month after going live with GL.
Dave
August 21, 2015 at 9:19 am
ZZartin (8/21/2015)
/shrug it's a compliance issues, it's not supposed to be useful and the vast majority of it can be summarized as use common sense.We have to go through a bunch of slide shows then take a test on various subjects, the time efficient method is to just fast forward through the slide shows once take the test see the answers then pass it on the second try..... Oddly enough very similar to how I passed the written test for my drivers license.
I understand what you are saying. Personally I do not believe in common sense. What is common to us (technical folks) is not at all common to the average end user.
Using an example from society - to a poor child growing up in the ghetto, common sense is how to act when walking home from school so you make it home alive. To the same kid growing up in the ultra rich suburbs, common sense is knowing which brand of clothing to wear. IMO nothing is common to all of us, each of us is unique, and our experiences drive our behavior. Computer security could be improved if we taught it at very young ages in school, but then you get into the whole common core argument, and none of us want to devolve into that discussion. 🙂
350 million people in the US, 10s of millions in most European countries, almost 7 billion world wide - do we really expect everyone to have the same understanding of how to handle computer security? I don't see that happening.
Dave
August 21, 2015 at 9:24 am
djackson 22568 (8/21/2015)
Reality - Company wants to implement a new software package that will handle payroll, HR, procurement, AP, AR and GL. Vendor tells company it will require 30 full time employees who are experts in the subject matter, for a duration of 9 months. Company assigns 4 people, and those people still have to do their normal work. Those 4 employees end up putting in less than 20 hours each per person due to their other work. 18 months later someone is fired because the project didn't go live on time, and the scope was cut to just GL. Management declares it a success and grants bonuses to the project champion and CEO now that they have exactly what they really wanted, and because they went live early when compared to the new go live date they set a month after going live with GL.
That sounds like a place I used to work. 😛
I forget who has it in their signature, but I think it's applicable here: "A pessimist is an optimist with experience."
August 21, 2015 at 9:29 am
djackson 22568 (8/21/2015)
ZZartin (8/21/2015)
/shrug it's a compliance issues, it's not supposed to be useful and the vast majority of it can be summarized as use common sense.We have to go through a bunch of slide shows then take a test on various subjects, the time efficient method is to just fast forward through the slide shows once take the test see the answers then pass it on the second try..... Oddly enough very similar to how I passed the written test for my drivers license.
I understand what you are saying. Personally I do not believe in common sense. What is common to us (technical folks) is not at all common to the average end user.
Using an example from society - to a poor child growing up in the ghetto, common sense is how to act when walking home from school so you make it home alive. To the same kid growing up in the ultra rich suburbs, common sense is knowing which brand of clothing to wear. IMO nothing is common to all of us, each of us is unique, and our experiences drive our behavior. Computer security could be improved if we taught it at very young ages in school, but then you get into the whole common core argument, and none of us want to devolve into that discussion. 🙂
350 million people in the US, 10s of millions in most European countries, almost 7 billion world wide - do we really expect everyone to have the same understanding of how to handle computer security? I don't see that happening.
It's funny how, thanks to the proliferation of smart phones, half the world's population are now accidental Linux sysadmins.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
August 21, 2015 at 9:35 am
One aspect of mandatory training that I hate is the focus on listening.
As a visual learner rather than an auditory one, I find myself tuning out frequently during these trainings. I take the training seriously, so I find myself rewinding and listening to the same segment 2 or more times to try and actually hear everything.
If there's a transcript, that can be better (although it's still filled with the fluff that comes from talking).
I'd rather there be an option to absorb the material entirely in written form. However, the cookie cutter trainings seem to be against that, presumably because a succinct page of everything you need to know (however practical and helpful beyond the assessment) would make it easy to pass the test at the end.
Leonard
Madison, WI
August 21, 2015 at 10:10 am
When I was in the military (US Air Force), we had to do an annual security refresher. A 'several page' document was passed around with a 'sign to acknowledge reading and understanding' sheet. Boring. In fact it was so boring and normal, that at one location I was on leave when the document came out and ended up being the last one in the unit to see it. I'm a 'nit-picker' and won't sign anything without reading it. Imagine my surprise (not) when I saw the document everyone had signed was missing every other page. It was printed both sides, but somehow the even number pages got left out. And yes....the signatures of having read it included the commander and all the folks who put it together. The rest of the story, I reported it to my supervisor who took it up the chain of command. A new version with all the pages came around for everyone to "re-review" and sign.
At my current job (civilian), they don't use paper documents. It is done electronically and they change it every year to try and keep everyone's interest. One year it was done in the form of an on-line game show. Another year, it was done as a 'marathon', every section (with questions) was another milestone in the marathon. They always include scenerios, so it's not just 'read the rules', it's "here's the rules, here's a scenario, what would you do?"
We still have issues, but I believe people pay more attention to the training in the job I'm at now. It is all in the presentation.
-SQLBill
Viewing 15 posts - 1 through 15 (of 32 total)
You must be logged in to reply to this topic. Login to reply