Attend any mainstream cybersecurity conference and you’ll likely be bombarded with acronyms and technical jargon. Perhaps you’ll hear play-by-play breakdowns on how to hack internet-connected devices. You also might hear about how cutting-edge machine learning or blockchain will or will not transform the field. But one thing missing from many cybersecurity events — and from the internet for that matter — are step-by-step, detailed plans explaining how to plan and implement an enterprise security awareness training program.
A new course from cybersecurity educator InfoSec Institute is designed to help fill the void. Known as the Certified Security Awareness Practitioner (CSAP) program, it tackles tricky themes such as how to persuade management to back an education cybersecurity initiative, how to engage employees in such a program as partners, as well as how to win executive backing for such initiatives and align them with business objectives. The program also offers advice on delineating responsibilities between a security awareness team and cybersecurity subject matter experts, whether they are full-time employees or working on a contract basis.
“This is the only comprehensive security awareness practitioner training program right now that's targeted specifically at the security awareness practitioner role in the organization — this is a new role,” said Andrei Antipov, content team manager at InfoSec Institute.
Having received the opportunity to review the course materials, the program draws from hundreds of slides (281 to be precise — with varying levels of detail) and templates for such practical tasks as doing a cost-benefit analysis of a cyber awareness program or measuring the progress of such an initiative. Also included are templates of emails an organization can use when rolling out or administering a security awareness training campaign and recommendations for sparking employee interest in cybersecurity.
Covering the Internet of Things landscape as a journalist, one often hears about the cybersecurity talent gap. The problem can be especially vexing in industrial environments, which have an acute shortage of experts who understand the needs of that landscape, as well as a difficulty in convincing “hard-hat” workers to focus on cybersecurity. In general, the lack of cybersecurity awareness is a common theme relating to the Internet of Things and to practically all types of organizations — enterprise companies, schools, manufacturers, organizations managing critical infrastructure and so on.
But the fact is, industries of all stripes often struggle to inspire security awareness in their employees — whether it is a new low-level recruit or an experienced executive. Many cybersecurity professionals take this as a given, concluding that “humans are the weakest link.” Complicating matters, many IT, network and cybersecurity professionals are more subject matter experts than they are either leaders or educators, which can lead to communication problems with employees from different departments.
Conversely, the CSAP program focuses on the human element of enterprise cybersecurity and in terms of its suggestions, goes far beyond the phishing awareness training that is often the centerpiece of many organization’s cyber education programs.
Many of the materials drew insights from feedback from InfoSec Institute’s customer base, as well as from materials in its SecurityIQ training platform, which is designed to be widely applicable. “The program is agnostic to any specific security awareness platforms or tools,” Antipov said. “Rather than just building on our platform and teaching others how to use it, we show them how to build their own.”
The designers of the course analyzed recognized industry standards from entities such as NIST and the PCI Security Standards Council and wove their recommendations into the program.
The course is designed to be broadly applicable — suitable for cybersecurity newcomers and experts alike. “The reality is that if you are involved in cybersecurity in your organization, you automatically will be tasked with leading the security awareness program,” Antipov said. “And, but that does not mean that you have the necessary skills for that specific task.”
An individual with, say, a cybersecurity credential such as CISSP will be able to build an information security program within an organization but also spread the awareness among employees and respond to cybersecurity questions that don't directly relate directly to IT or cybersecurity infrastructure.
With the first Certified Security Awareness Practitioner Training Boot Camp slated for December, examples of professional types who have enrolled thus far include technology architecture and security design (consulting), cyber risk analyst (government) and technology director (education).
The course also includes a section on building a “security champions program” led by a network of employees who can help seed cybersecurity awareness into the culture. The model can be especially useful for organizations with multiple facilities, whether it is an industrial company deploying IoT technology or a large school with multiple buildings. On the latter point, InfoSec Institute is working with a school with nearly 17,000 students and about 15,000 devices to manage. “They were attacked by ransomware four times and their CTO finally said: ‘OK, we need to have a security awareness program,’” said Kristin Zurovitch, director of corporate communications at InfoSec Institute. The school formed a champions network with 40 different individuals. “These are teachers. They are not IT or security staff, but they had an interest in cybersecurity. They exhibited solid security behaviors and could serve as mentors for others.”