Today’s post is all about Control 9 of the CSIS 20 Critical Security Controls – Security Skills Assessment and Appropriate Training to Fill Gaps (the last post pertained to Control 8). Here I’ll explore the (9) requirements I’ve parsed out of the control (I used the PDF version, but the online version is here) and offer my thoughts on what I’ve found [*].
Key Take Aways
- Outsource. I strongly recommend looking into a security awareness provider in place of standing up your own awareness program. We’re all suffering from scarce human resources in this field, so why should you spend their valuable time teaching and increasing awareness? Unless you have a credibility problem in your organization, don’t spend this valuable resource teaching something that may not be as effective as we had once hoped.
- Do the boring work. This can be very boring work, maintaining links between policy and implementation – especially the security awareness piece. Still, this is some of the most important work you can perform. Why? Consider what might happen when “that day” comes and your organization suffers a materiel breach. The organization is subsequently sued. You land in court and are asked: Did you train your people appropriately – as others in your industry have? Would you be able to answer that well?
Potential Areas Of Improvement
- Take a stand with metrics. One of the shortcomings I’ve seen across frameworks is a lack of metrics specification (some frameworks identify metrics, but leave off there). We all have day jobs. Metrics are not as straightforward as they sometimes seem (“just measure it” doesn’t always work). There are a variety of useful resources for metrics, and there should be no reason to omit a set of prescriptive metrics at the Control Framework level. I recommend looking up Security Metrics: Replacing Fear, Uncertainty and Doubt, Security Metrics, A Beginner’s Guide, or Security Metrics: A Practical Framework for Measuring Security & Protecting Data to get a start. And, join the discussion at SecurityMetrics.org.
Requesting Feedback On
- General: I’d love to hear what you’ve done for your awareness program. What are your standards? Do you use a service provider? If so, which one do you use? Would you recommend one approach over another and why?
- Description: Perform gap analysis to see which security areas employees are not adhering to and use this as the basis for an awareness program.
- Notes: While this requirement is labeled a quick win, it’s not likely to be a quick process to perform a true gap analysis. It’s going to take resources to consider: 1) what the standard of security awareness is for your organization, 2) how to measure for that security awareness, and 3) gather data – all of that is before you perform a gap analysis. I recommend defining your standards and outsourcing the rest.
- Description: Organizations should devise periodic security awareness assessments to be given to employees and contractors on at least an annual basis in order to determine whether they understand the information security policies and procedures, as well as their role in those procedures.
- Notes: If you follow my advice from the first requirement, then the periodic assessments should happen automatically. The way I see it, outsourcing this function is important to the overall success of your Information Security Management Program. What you’ll need to remember is to provide your service provider with up-to-date employee lists complete with roles. I encourage anyone with experience in outsourcing awareness programs to provide information in the comments of this post.
- Description: Develop security awareness training for various personnel job descriptions.
- Notes: Typically, outsourced security awareness testing will come packaged with appropriate training. What your job will be is to annually review your organization’s training needs and ensure your provider meets them. Again, I see no reason you should be in the training business – just ensure that the training is happening regularly, is up-to-date, and tested regularly.
- Description: The training should include specific, incident-based scenarios showing the threats an organization faces, and should present proven defenses against the latest attack techniques.
- Notes: Read this requirement as a pass-through to your awareness service provider. If you can avoid it, don’t choose overly-generic scenarios. Instead, try to find a service provider with a rich set of scenarios oriented to your organization’s environment. For example, the scenarios facing a large credit card transaction processor are probably different from those scenarios facing an entertainment software company making children’s games.
- Description: Awareness should be carefully validated with policies and training.
- Notes: This should be common sense, but realize that it will take time. Review your awareness needs and create a checklist of properties your ideal awareness program should possess. Compare service providers using this checklist and you’ll be in good shape. Include the checklist for updating when you update your policies. Yes, this is the boring part of the job.
- Description: Metrics should be created for all policies and measured on a regular basis.
- Notes: There are a variety of sources you can use for awareness metrics. Pick up a copy of ‘Security Metrics,’ by Andrew Jaquith (@arj) and look up Table 4-8. That table includes metrics that would cover this area. For example: Percent of new employees completing security awareness training, percent of security staff with professional security certificates, and percent existing employees completing refresher training per policy. I would additionally encourage your organization to include security awareness training in performance reviews.
- Description: Awareness should focus on the areas that are receiving the lowest compliance score.
- Notes: This feels very out of date. Compliance is great, but what we call this ought to change. Too often compliance is reduced to a meaningless checkbox, and what would be better here is to focus on the areas presenting the most risk to the organization’s business processes.
- Description: Conduct periodic exercises to verify that employees and contractors are fulfilling their information security duties by conducting tests to see whether employees will click on a link from suspicious e-mail or provide sensitive information on the telephone without following appropriate procedures for authenticating a caller.
- Notes: Here is a direct tie in to your Incident Detection and Response program, and the requirement is, essentially, to run a penetration test against your users. This is a great way to take care of multiple testing tasks, by the way. Keep those in the know at a minimum and run a phishing campaign against your users in order to exercise your ID&R capability and assess your users’ security savvy.
- Description: Provide awareness sessions for users who are not following policies after they have received appropriate training.
- Notes: Or just fire them. Don’t let HR get in the way too much here. Your policies should be written in a way that 1) makes a reasonably compelling case for protection and, 2) stipulates appropriate consequences when willfully or ignorantly avoided. At the end of the day, we are all living organisms responding to the same training methods. We can use carrots, but we should not do so at the expense of the stick.
Other Controls Reviewed In This Series
- Control 1: Inventory of Authorized and Unauthorized Devices
- Control 2: Inventory of Authorized and Unauthorized Software
- Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Control 4: Continuous Vulnerability Assessment and Remediation
- Control 5: Malware Defenses
- Control 6: Application Software Security
- Control 7: Wireless Device Control
- Control 8: Data Recovery Capability
- Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps
- Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Control 11: Limitation and Control of Network Ports, Protocols, and Services
- Control 12: Controlled Use of Administrative Privileges
- Control 13: Boundary Defense
- Control 14: Maintenance, Monitoring, and Analysis of Audit Logs
- Control 15: Controlled Access Based on the Need to Know
- Control 16: Account Monitoring and Control
- Control 17: Data Loss Prevention
- Control 18: Incident Response and Management
- Control 19: Secure Network Engineering
- Control 20: Penetration Tests and Red Team Exercises
* A method and format explanation can be found at the beginning of Control 1.
Editor’s Note: This article was written by a former contributor to The State of Security who now resides with a non-profit group with an excellent reputation. We thank him for his opinions and perspective, and wish we could acknowledge him directly for his outstanding efforts on this series.