October is National Cyber Security Awareness Month. I am hoping you will join me in a national program to kill cybersecurity awareness training programs. I don’t know who came up with the concept of “security awareness training”, but it has reached the end of its utility and should be replaced with something else. Is all we want is for users to be “aware” of security issues? Don’t we want them to be educated enough to be active parts of the solutions?
I looked into the history of “security awareness training”. Did we inherit it from the pioneers?
I re-read “Establishing a Data Processing Security Program”, by William H. Murray, dated 1981. He gives management responsibility for “employee education and awareness”. No awareness training. Then I re-read "Fighting Computer Crime" (1998), by another pioneer, Donn Parker. He recommends creating “awareness and motivation for information security by tying security to job performance”, but no “awareness training”.
[ ALSO ON CSO: Is your security awareness training program working? ]
Then I re-read CSO blogger Michael Santarcangelo’s book "Into the Breach" (2008). Interestingly, this book does not contain the phrase “awareness training”. Awareness is discussed, but in the context of changing user behaviors. Isn’t this what we really want from users? Just being aware is no longer enough when technology is an integral part of everyone’s work and personal lives. We need to replace awareness with education.
The goal of educating users about security is to facilitate an organizational change, so that security is part of the company culture. This only happens through a step by step managed process. You can learn more about the steps by reading John Kotter’s book, "Leading Change" (2012). The processes needed to make this change occur have been analyzed by management researchers, so we don’t need to reinvent the wheel. One model that I like, for both simplicity and comprehensiveness, is the Star Model from Jay Galbraith.
This model emphasizes that five processes need to be implemented simultaneously in order to implement change. Obviously you need a security strategy. You also need to assign roles and responsibilities in the security structure. This needs to include the whole organization, not just the office of the CISO. You need processes, and supporting technology. Galbraith also includes carrots (as well as the implicit sticks) to motivate people. Finally, we have the people process: training and educating all staff to influence employee mind-set and skills around information security. Awareness training alone will not be enough to facilitate an organizational change. We need to enable our users to learn about security and how to use it in their jobs.
I know most security professionals are busy meeting compliance requirements, dealing with incidents and trying to keep up with technology and threats. However, we also need to keep an organizational change model in the back of our minds. If we don’t learn how to educate our users, I am afraid we will not get off of the security cycle of pain.