Critical Control 20: Security Skills Assessment and Training to fill Gaps

Published: 2011-10-28
Last Updated: 2011-10-28 17:37:45 UTC
by Daniel Wesemann (Version: 1)
1 comment(s)

There's two parts to this control - one focuses on users, the other on security and IT staff.

Keeping your users abreast of current threats and how to steer clear of these dangers is definitely important. But in today's compliance-driven corporate world, the average staff member already has to sit through many trainings and e-learnings on topics ranging from corporate records management to HR policies to anti bid-rigging rules, etc. Hence, the first hurdle that every security training has to overcome is to actually get the initial attention of the audience.

If you had the choice between attending a "Security Awareness Training", and a presentation called "How to keep your kids safe on the Net" .. which one would you join? The latter can impart just about the same lessons as the former, but hardly anyone in the audience will catch on to the fact that you are teaching them to be careful on the Net just as much as you empower them to watch their kids.

In other words, as in all marketing endeavors, packaging is everything. Once you have the users' initial attention, the easiest way to keep them interested is by using real life examples from your own company or institution. Even if the audience happens to be already aware of a certain attack or threat, and would otherwise be bored, they will always be interested in what REALLY happened, close to home.

You might find out that users come with three levels of security clue:

1. Those who just don't know better
2. Those who do know better, but take shortcuts, don't care, or have an "it won't happen to me" attitude
3. Those who do know better, and stick to being careful

For Group #1, train them, patiently and repeatedly
For Group #2, make a gory example out of one or two trespassers. The others will catch on. If you can't get away with gory examples "pour encourager les autres", then patiently treat Group#2 like Group#1.
For Group #3, thank them for every risk that they spot and report, and empower them to act as coaches for Group #1 staff in their team

SANS Control #20 and the SANS "Securing the Human" project ( are two good starting points for further information.

Now, for training of security and IT staff. For most readers of this ISC diary, this will mean yourself, and maybe also people that you manage in your team. With training budgets for 2012 currently getting drawn up in many companies, and the economic situation making it unlikely that the budget will be a brimming bucket of money, now is a good time to honestly assess where the gaps are and how to most effectively fill them.

Ask yourself:
- Do I have the know-how to oversee the implementation of some or all of the 20 critical controls? Where are my gaps?
- Would I have the know-how to actually implement, hands-on, some or all of the 20 critical controls? Where are my gaps?

If you are a manager of a security team, I'd recommend you do the above assessment for each of your staff members. Not everyone can be an expert in everything. But, sadly, the recent years of paperwork compliance (SOX, the old FISMA, etc) have bred a large caste of security staff whose main and only competency seems to be "to track open issues". In the past couple months though, senior executives have definitely started to catch on to the surprising delta between what the "security compliance report" suggests, and what the reality is.

SANS training is doing a great job teaching people (and even managers :) hands-on security skills of value. But this isn't a SANS training commercial. Just an encouragement with emphasis to all security specialists out there to make sure that you keep your skills up to snuff. And to all managers of security specialists, that you make sure to have the right people for the job on the team.

Because one thing's for certain: The job ain't gonna get any easier anytime soon.


1 comment(s)


Enganging the listener is always critical when imparting important information.
While, the ruse outlined above can be successful, it can also close ears and alienate those who see through it.
I was always straightforward in my presentations, giving real world "horror stories" from other installations, without releasing sensitive information regarding those incidents. I advised the listeners of a known actor's attack, which I had shortly before been warned about and I set a mail filter to block his phish, minutes before going on vacation. One day of travel later, I was home and logged into my webmail, to find 350+ hits from said attack (verified, when I mailed my subordinate and had him verify the hits).
I advised them of a one billion dollar cleanup bill, all from the use of infected thumb drives, the majority of which were unauthorized. They had heard of PART of that incident on the news, but not the remediation cost.
And I used colorful terms, to ensure I had their attention, such as "evil spirits on the network".
Such things, heard coming from their information assurance professional certainly got their attention and their retention of information increased by an order of magnitude.
My only failure was one SA of the #2 variety, who refused to listen and was caught not only reading his webmail from a file server, but also opening attachments. He was asked to find other employment.

Diary Archives