SHARE
Security / October 15, 2018

Everything You Actually Need to Know About Security Training


For National Cybersecurity Awareness Month (NCSAM) a colleague in the Gigamon Marketing group asked me to write a blog post about security awareness training. They were surprised at my response:

“Dear Marketing, I appreciate you reaching out and asking me to write a blog about the importance of ‘cybersecurity workforce education, training and awareness while emphasizing risk management, resistance and resilience’ for NCSAM. Here’s the thing, expectations of security awareness training are usually wrong.”

What Do People Need to Know, Anyway?

Let me explain: When you get on a plane to go to an industry event, you sit down in your seat, lament how little legroom you have and then halfway pay attention to the flight attendants while they point out exit locations and how to don a life vest. This is airplane safety awareness training, and it’s meant to help you in a much more serious situation than you’ll ever experience in a cyber incident. Yet, I’m willing to bet, you don’t always follow the advice of that seatbelt light.

How would you react if, after the life vests, that training kept going? And the next item on the list was “how to handle an engine flameout on takeoff”? Well, that’s easy, everyone knows that:

  1. Call “ENGINE FIRE” and refer to the T/O procedures
  2. Call “GEAR UP” and note if we have a positive rate of climb
  3. Check if the landing gear is up — we cannot afford that much drag when we’re down a powerplant
  4. Set the IAS to the white bug and check the flaps are in normal position
  5. After about 10 more steps, we can key the mic and call “mayday”

You didn’t need to know that, did you? Yet, when I consider cybersecurity awareness training, I can’t help but feel that this is what we’re doing to you. When I look at what we expect you to do, it’s insane. For example, why am I asking you to:

  1. Recognize targeted phishing attacks from nation states that employ professional psychologists to write them
  2. Know if a TLS (that’s the real name, not SSL) certificate is valid or not
  3. Know the importance of need-to-know and know how to safely transport data
  4. Be a good custodian of your password — which I guarantee is bad, by the way — and be careful where you enter it

It’s Not You, It’s the Technology That’s Lacking

The answer is because we’re not doing a good job with the underlying technology. Just like you shouldn’t need to know how to resolve that engine flameout, you shouldn’t be expected to be a security technologist.

Simply put, training employees is a way to offload a failure that we don’t want to acknowledge. A failure that stems from us not looking for a better way, from not selling our leaders on how to properly do security and from blindly accepting compliance mandates for training. We are supposed to be building systems that protect you and providing training that helps you understand how that protection works. We are supposed to be helping you adjust behaviors that can lead to harm. We are not supposed to ask you to fly the plane with us.

At this point, you may be wondering how we got here. It’s the outcome of cyber teams being overloaded, burnt out and flailing in the face of nations and organized criminals waging a war using poor users as proxies. This might sound gloomy and make you think about turning that laptop in and move to the woods, but don’t go just yet.

We defenders are about to turn a corner and finally provide you the protection you deserve. It’s coming in the form of automated detection and response (hang in there, don’t get distracted and go scroll Twitter quite yet). We’ve begun to realize that computers are much better at fighting computers than humans are. So, how does that help us?

We’re realizing that to protect you, we need to quickly find out what’s happening on the network — what your computer is doing when it talks to other computers. Once we do that, we can use smarter computers to decide if you’re in danger and if we do automation right, we can stop the bad guys before they hurt you.

The Mistakes We’ve Made

This takes some forward thinking. We used to have this idea of “the perimeter,” which was basically a wall built around you, and if we kept the bad guys out then we were going to be okay. Unfortunately, the bad guys got in anyway.

Then we decided the perimeter was dead and we weren’t going to trust anyone. So we had you start jumping through hoops that were too much like landing a plane — and you, rightly, objected and we ended up implementing less effective measures. After that, we decided we’d lock your systems down, but then your productivity was trashed and we couldn’t afford blocking you from doing your jobs effectively.

We’ve made a lot of mistakes over the years, but this time we’re getting it right. In the past, we kept doing a variation of the same thing that looked a little different each time, but our basic flaw was in answering the question “is this secure or not?”

Security Is not a Binary Choice

The problem that we missed is that this is a binary choice — secure or not — but security isn’t like that. Security is about risk and it evolves and changes over time. It’s like a dimmer switch instead of a regular light switch.

Now that we recognize this analog nature of security, we can do more useful things to protect you. For example, we can:

  • Detect that you are about to download malware and stop just that connection without blocking you completely
  • Ask if data is leaving your computer in a strange fashion and slow it down while we determine the risk
  • Watch for phishing emails and warn you that it might be bad or completely stop it if the risk is higher than our levels of comfort

To Work, We Need to See Everything on the Network

All of this usefulness requires one thing: We need to see everything on the network and be able to make decisions of risk, and then modify your experience seamlessly and quickly. This is the automation I was telling you about. Now, I know you’re wondering: “Jack, if we automate your job, who will write security blog posts?”

Don’t worry dear friends, we will always need to tune automation, upgrade systems and, most importantly, meet compliance requirements. So after you read this blog, you’ve got 45 minutes of security training videos to watch and, yes, there is a quiz at the end.


Back to top