In the past few weeks, I was able to go deep into security issues (this was during my yearly pilgrimage to the Black Hat security conference in Las Vegas), and then concentrate on the basics (by getting our employees to fulfill our security awareness requirements). Both were highly satisfying.
Black Hat came first. If you’re able to attend just a couple of conferences per year, I highly recommend RSA and Black Hat to all security professionals, regardless of level. They’re conveniently spaced about six months apart, making it easier to get your boss’s approval.
Action Plan: Use a carrot, not a stick, and then sic HR on the last non-complying employees.
Black Hat is a combination of in-depth, mostly hands-on training and briefings that tend to be presentations on various security topics, typically with a focus on security weaknesses. I am interested in briefings in which the presenters demonstrate a successful hack or compromise of something very interesting or familiar. This year’s quintessential Black Hat presentation demonstrated the ability to remotely control connected-car functions. It’s the sort of thing that really sets Black Hat apart.
Of course, Black Hat also has the obligatory expo floor, and I enjoyed the opportunity to obtain demos from technology vendors that I currently use or am considering. It’s much easier to ask pressing questions in a venue like this than to schedule individual meetings and then sit through a bunch of marketing slides before getting to the real substance. One stop on the floor was at Palo Alto Networks. We’ve recently deployed that company’s advanced firewall, and I had some questions about the new interface in the latest version. Also, I’m currently in the market for a new SIEM tool, and there were plenty of vendors to meet with. I was able to knock out four in-depth product demos in less than three hours! And of course, Black Hat wouldn’t be much fun without some cool parties and networking events, and what better place for that sort of thing than Las Vegas?
Prior to departing for Black Hat, I had set up our yearly security awareness training for employees and contractors. We purchased subscriptions to two of the SANS Institute’s Secure the Human training programs, one for end users and one for developers. I like these SANS programs. They’re easy to deploy; they do a good job of keeping track of the users who have completed the training; the material is of a high quality, with both breadth and depth of security information; and the material is frequently updated, which is important given the fast pace of change in security and technology. I also like the brevity of the training, which is more about substance than storytelling, so our employees can cover more ground in less time.
There was just one problem. Employees weren’t completing the training. After two weeks, only 40% of employees had completed it, and most hadn’t even started. Our CEO had already sent out a message emphasizing the importance of the training and the requirement that all employees complete the training within 30 days.
I didn’t want to do anything that would make me come across as the mean security guy. Instead of escalating the matter to other managers or sending out nasty messages, I got my boss to allow me to expense several hundred dollars’ worth of Starbucks gift cards. I then sent a message stating that I would be giving out gift cards to 20 random employees who completed the training by the end of the third week. And I’ll be damned! Being the nice security guy works sometimes. The completion rate hit 90%. Of the non-compliers, many were out, either on vacation or taking some other valid leave.
For the remaining employees that were in the office, I had one of our new HR representatives reach out to encourage them to complete the training. She employed guilt, explaining that if we didn’t obtain 100% completion, we would not be PCI-compliant, which we need to be in order to grow. Guilt worked too. Within 30 days, all eligible employees had completed the training. And since I had forced all employees to read and attest to their understanding of our security policy and code of conduct prior to completing the course, I knocked out another PCI requirement.
I’ll continue to use the SANS training sporadically throughout the year as needed to emphasize security risks. For example, if there is a sudden surge in phishing attacks, I will require all employees to complete a single module related to email security. That’s what’s nice about having a learning management platform and an easy means to deliver and track training for a large number of employees.