What comes to mind when somebody says ‘security training’?
I bet your first thought is “Oh yay, more Powerpoints” – or perhaps “Yay, another round of being told I’m the enemy”!
At CDS we believe security training can be redesigned to avoid these reactions…
Security training should make people feel more secure and better prepared. Keep reading to learn how we’re enhancing our security operations!
Thinking outside of security binaries for training
We’ve all been there – checking your emails in between meetings, organizing your calendars, only to realize one millisecond too late what you did. You’ve clicked on the phishing email trap sent out by your security team. Oh no, here it comes. The look.
Your cries of “Phishing emails are not all built the same and I don’t click on the obvious ones! Plus I was waiting for a Teams invite, so that’s not entirely fair!” go unheeded. You’ve been caught in the Click and Shame training net again.
Once more, the wall between security and “the rest of us” has a new brick.
There are no easy solutions for security since the human factor is the hardest to predict and control. We don’t live in a binary world of “smart people are safe, others get scammed”, it’s more complex and ever-changing.
This results in crossed wires and conflict, when neither side sees the other as friends to support. That’s the reason why we needed to practice critical thinking - to approach the conversation from a different angle.
Re-designing #SecOps to feel more secure
One way we on the Security team are trying to re-design how we approach security training at CDS is by starting small; curating ‘snack-sized’ learning experiences to make people feel more secure.
Many industries use regular briefings like these to remind teams of their responsibilities in the workplace. These are short presentations (around 5 minutes), done regularly. The presentations are designed to teach for retainment.
They’ve been shown to minimize safety incidents and are beneficial for fostering a strong health and safety culture regarding organizational and personal security. So we thought – why not apply this to our security culture?
Introducing ‘security snack time’ at CDS!
Our very first security snack time took place on June 7, during a Platform Town Hall.
I used a very humorous Powerpoint to talk about ways to combat feelings of fear, uncertainty, and doubt that can surface when it comes to security best practices.
I tried to make my colleagues feel like they can be part of the solution.
We received great feedback from the audience and were told that the information we provided was accessible, easy to digest and remember.
Our goal is to uplift and empower – to increase people’s confidence in their abilities to respond to an incident. We not only cover all of the usual topics found in the usual training, such as phishing, good password hygiene, and good data management, but also expand on this by adding tips and tricks that are pertinent to both work and personal life.
Fostering this culture also gives everyone a non-judgmental space to explore the risks of specific security issues and discuss ways to deal with them. As government employees working for the public, not taking security seriously can have far-reaching implications. It’s our responsibility to find ways to teach security in such a way that our teammates retain the content and not just checklist it.
If people learn about logic security at work, they take it home and will be more secure all the time. It’s a positive feedback loop.
At CDS, we’ve introduced ‘security snack time’ to complement and reinforce our existing security operations training. We’ll continue to take advantage of curated training resources, offer hands-on technical training to CDSers, run incident simulations, and foster a blameless security culture.
We don’t want our coworkers to think of security as a roadblock – but rather that we’re working together to keep the road clear and avoid incidents. Fostering a relationship built on trust will make those hard security conversations down the road a lot easier.
Here is how we’re now approaching security operations at CDS:
- Empowering all people in the organization to feel confident with security practices without blame.
- Teaching human-centered ‘security operations and best practices’ for learning and retention.
- Changing the security narrative from ‘us vs security’ – to teams working together to build trust and security in the organization.
If you’re involved in security operations in your organization, take a look at your approach and see if these takeaways can help you improve for impact! Then, let us know if you found our approach helpful (Twitter, Linkedin, or email).