www.helpnetsecurity.com Open in urlscan Pro
44.224.133.177  Public Scan

Form analysis
1 forms found in the DOM

POST

<form id="mc4wp-form-1" class="mc4wp-form mc4wp-form-244483 mc4wp-ajax" method="post" data-id="244483" data-name="Footer newsletter form">
  <div class="mc4wp-form-fields">
    <div class="hns-newsletter">
      <div class="hns-newsletter__top">
        <div class="container">
          <div class="hns-newsletter__wrapper">
            <div class="hns-newsletter__title">
              <i>
                        <svg class="hic">
                            <use xlink:href="#hic-plus"></use>
                        </svg>
                    </i>
              <span>Cybersecurity news</span>
            </div>
          </div>
        </div>
      </div>
      <div class="hns-newsletter__bottom">
        <div class="container">
          <div class="hns-newsletter__wrapper">
            <div class="hns-newsletter__body">
              <div class="row">
                <div class="col">
                  <div class="form-check form-control-lg">
                    <input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="520ac2f639" id="mcs1">
                    <label class="form-check-label text-nowrap" for="mcs1">Daily Newsletter</label>
                  </div>
                </div>
                <div class="col">
                  <div class="form-check form-control-lg">
                    <input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="d2d471aafa" id="mcs2">
                    <label class="form-check-label text-nowrap" for="mcs2">Weekly Newsletter</label>
                  </div>
                </div>
              </div>
            </div>
            <div class="form-check form-control-lg mb-3">
              <input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="28abe5d9ef" id="mcs3">
              <label class="form-check-label" for="mcs3">(IN)SECURE - monthly newsletter with top articles</label>
            </div>
            <div class="input-group mb-3">
              <input type="email" name="email" id="email" class="form-control border-dark" placeholder="Please enter your e-mail address" aria-label="Please enter your e-mail address" aria-describedby="hns-newsletter-submit-btn" required="">
              <button class="btn btn-dark rounded-0" type="submit" id="hns-newsletter-submit-btn">Subscribe</button>
            </div>
            <div class="form-check">
              <input class="form-check-input" type="checkbox" name="AGREE_TO_TERMS" value="1" id="mcs4" required="">
              <label class="form-check-label" for="mcs4">
                <span>I have read and agree to the <a href="https://www.helpnetsecurity.com/newsletter/" target="_blank" rel="noopener" class="d-inline-block">terms &amp; conditions</a>
                </span>
              </label>
            </div>
          </div>
        </div>
      </div>
    </div>
  </div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off"></label><input type="hidden" name="_mc4wp_timestamp"
    value="1694744125"><input type="hidden" name="_mc4wp_form_id" value="244483"><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-1">
  <div class="mc4wp-response"></div>
</form>

Text Content

searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle
upmagazine plus
 * News
 * Features
 * Expert analysis
 * Videos
 * Events
 * Whitepapers
 * Industry news
 * Product showcase
 * Newsletters

 * 
 * 
 * 


Heather Hinton, CISO, PagerDuty
September 14, 2023
Share


GREAT SECURITY TRAINING IS A REAL CHALLENGE



All employees need security training, yet it’s generally a resented
afterthought. A variety of studies over years show that human error is generally
felt to be the largest vulnerability in organizations.

For technology companies like SaaS providers, who also need to ensure its
developers and engineers are on top of their security game, there are further
risks from passing on threats to customers down the software supply chain. Tech
and non-tech colleagues must play their part – and that only comes from lifelong
learning.



Tech companies must be on top of their staff education, training, and best
practices. Every aspect of their delivery must minimize the risk to the
business, staff, customers, and their customers’ clients, too. Technical and
non-technical staff must be trained to quality standards, with the most widely
applicable being SOC 2 and ISO 27001. Additionally, there are various data
security, privacy, and financial processing regulations as well, relevant to
certain industries and staff roles.

Security training has always been a real challenge for tech companies. Product
innovators race ahead to get to market, and there’s a drive to “move fast and
break things”. With scale come other business, tech, and people challenges, and
security must compete with many other urgent and important priorities. By the
time many firms take it seriously – and even when they do – it’s not on the
radar of most employees. It’s time for that to change.


TAKING SECURITY MORE SERIOUSLY MEANS COMMITTING TO TRAINING

Everyone claims to take security seriously, but if CISOs and department leads
are not regularly and frequently (this is the key part) refreshing, testing, or
even deploying red team tactics against all employees, then they are not being
totally honest with themselves.

Without frequent refresher training and a culture that develops and supports a
security conscious workforce, the risk to the business is great. People make or
break a secure environment, and they make mistakes, forget, or get tricked
easily.

And with AI and machine learning now being used to create more realistic and
more targeted lures, the only way to mitigate this the risk is with continual
training and ongoing awareness.


TOP TIPS FOR MAKING TRAINING THAT STICKS

Teach the why, not merely the what

This is essential for any training of any type. Demanding compliance makes the
mandated procedures seem like an imposition, and all security an obstacle to be
avoided. Explain the security vulnerabilities and common pitfalls so that users
realize the importance of their vigilance. Explain the consequences to the
business and to each user (both in their professional and personal and family
life).

Do not shy away from technical details

Your tech team will want to know any limitations that impact their ability to
execute.

Where security solutions or steps may affect delivery, this must be accounted
for AND explained properly to senior leaders in terms of risk and incident
management. These senior leaders must be prepared for security to slow things
down and support this – security awareness is critical if this is to be part of
a top-down approach to security.

Non-technical staff will understand the scale and dangers present much better
when training is backed up by exercises and activities that put them at the
center of the threat, followed by stats on breakout times, estimated remediation
costs, and the business impact for them and employee security should losses
occur. Relevant detail underscores the importance of the exercise.

Be human, be real

Cover the major areas of risk – social engineering, passwords, physical
security, data handling, and compliance, etc. – but don’t forget being human.

Technical and line-of-business people alike must understand what the major areas
of risk are for the business and their own roles. Think about the culture of
humans interacting with humans. Make it safe for people to check in or admit
fault when they take their training back to the real world.

Make it accessible for everybody

Security training must speak to the skilled and security literate to keep them
fresh and humble. It must also not overwhelm the less technically literate or
turn them off.

It’s worth tailoring the message to the role and seniority of the audience, and
training peer groups together. It doesn’t do any good for juniors to not ask for
clarification because they are overawed by the manager sitting next to them.

Having experts design training that speaks to cohorts by their requirements
helps avoid people zoning out. Everyone – whether they admit it or not – loves a
good horror story; play to that with engaging story-based training that will
motivate users to share and discuss.

Be funny, be memorable

Deploy all the best practices of a raconteur so that written elements sparkle
and spoken parts land well. Great security training is not bland – it’s
important and deserves to be impactful.

Remember: spaced and varied repetition is key to embedding learning for the
long-term. CISOs must run the risk of becoming unpopular by insisting on
frequent, regular training and refreshers. Regular training – the standard
annual refresher training – isn’t enough anymore; frequent planned and surprise
training must be provided. Deploying red teams and surprise exercises can really
raise your employees’ game. Whatever the results, ensure a culture of learning
rather than blame, and incentivize the right levels of transparency, inquiry,
and honesty.

Give engineers the tools to create security-by-design

Your technical and product teams need even more security training to embed best
practices into the CI/CD workflow and ensure solutions are not vulnerable to
known risks.

Invest in the tools and training that give technical staff the frameworks and
models to make security a simple and easy step when creating great products.
It’s cheaper to avoid vulnerability or future breach at the development stage.
Stand up to cost cutting pressures by pointing to products that ended up causing
problems due to lackluster security, and present a case that shows that secure
products secure profitability.


OVERCOME ALL CHALLENGES AND MAKE IT COUNT

All-in-all, security awareness training is essential, and must be a live,
evolving process.

Take the same care and attention with the content, style, and delivery as one
would with both a wedding speech and a presentation to investors. Style should
never trump content, but if awareness training is to be effective, it should be
a very close second.

To create more secure outcomes firms must up their security training game, or
our whole digital world will get a little worse, one product, one system, one
day at a time.




More about
 * CISO
 * compliance
 * cybersecurity
 * opinion
 * PagerDuty
 * passwords
 * physical security
 * security awareness
 * social engineering
 * training

Share this

FEATURED NEWS

 * Attackers hit software firm Retool to get to crypto companies and assets
 * Attackers use fallback ransomware if LockBit gets blocked
 * Great security training is a real challenge

Download: Ultimate guide to Certified in Cybersecurity


SPONSORED


EBOOK: 9 WAYS TO SECURE YOUR CLOUD APP DEV PIPELINE


FREE ENTRY-LEVEL CYBERSECURITY TRAINING AND CERTIFICATION EXAM


GUIDE: ATTACK SURFACE MANAGEMENT (ASM)


CIS SecureSuite membership


DON'T MISS


ATTACKERS HIT SOFTWARE FIRM RETOOL TO GET TO CRYPTO COMPANIES AND ASSETS


ATTACKERS USE FALLBACK RANSOMWARE IF LOCKBIT GETS BLOCKED


GREAT SECURITY TRAINING IS A REAL CHALLENGE


THE CRITICAL ROLE OF AUTHORIZATION IN SAFEGUARDING FINANCIAL INSTITUTIONS


MOBILE VERIFICATION TOOLKIT: FORENSIC ANALYSIS OF ANDROID AND IOS DEVICES TO
IDENTIFY COMPROMISE




Cybersecurity news
Daily Newsletter
Weekly Newsletter
(IN)SECURE - monthly newsletter with top articles
Subscribe
I have read and agree to the terms & conditions
Leave this field empty if you're human:

© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us
×