When was the last time you had any training related to cybersecurity? Was it just a week ago? Perhaps a month ago? If you work at a typical organization, it is more likely that when training happens, it happens just once per year. In addition, this meager training schedule could be the wrong approach altogether.
I spoke to Servio Medina for our cybersecurity podcast, Code Red, and we talked about security awareness and education, through a different lens.
Servio is the COO, cybersecurity branch at the US Defense Health Agency, and he compares our current approach to cyber education to the way we teach mathematics; we may not need some of the things we learned every day, but we retain the logical process that accompanies our search for solutions.
I’ll let you listen to the entire interview on your own, but one of the highlights of this conversation is the assertion that annual education is nowhere near enough to change our personal and organizational ability to assess and react to the risks of cyber threats. With security, employees easily forget a once-per-year training session, and its logical processes never become embedded in our daily routines. Instead, the information becomes part of our noisy environment, fighting for recognition.
Servio makes a strong case for a new approach to cyber education, and sees a longer-term payoff, despite the initial investment. We also took a moment to discuss the role that behavior plays in cybersecurity. Not all solutions are based in technology, and even a perfect technology solution can only protect against known types of threats.
Technology cannot protect us from ourselves. We forget things (unencrypted laptop in car), circumvent processes (password taped to monitor), and we can be manipulated (clicking links in questionable emails).
If you still doubt how easy it is to manipulate and deceive, read just about any book by Kevin Mitnick or Frank Abagnale.
Listen to the Servio Medina episode of Code Red, “Strengthening Your Organization's Cybersecurity Culture
I hope it helps you think differently about how your organization approaches cybersecurity training.