Nov 21 2013
I got invited to speak at the annual dinner of the Cloud Security Alliance in Oslo, Norway earlier this week and had a lot of fun at the event. I always enjoy visiting cities I’d probably never see if not for my job. Even more importantly, I love talking to people who are outside of the conference circuit and the echo chamber that is twitter. It’s always interesting to see how these people see security differently than I do and differently than most of the people I hang around with (digitally, at least) do. I appreciate the invitation Kai Roer (@kai_roer/kairoer.com) extended to me and I’m glad I went.
The other gentlemen who talked at the event was Mo Amin (http://www.infosecmo.blogspot.co.uk/) a London-based security professional who was giving what was only his second ever talk in front of a crowd. There were some rough edges to his talk, but then again, there are enough rough edges to my own talks that you could grate cheese on them. But Mo brought up some points about security awareness and training that many security teams need to be thinking about. Specifically, he asked how many of us are teaching to a plan we developed in a vaccuum without understanding the needs of our audience or having talked to the people we’re trying to communicate with before hand.
It’s surprising (or maybe not) how many security training seminars are something that was developed by people who are more concerned with what the target “needs to know” as defined by the trainer. We spend a lot of time developing the training based on what we believe our co-workers need to know to be secure, rather asking them what they’d like to know about and how they’d like to be taught it. This is by no means true of all security teams, but it’s more prevalent than it should be and it’s thought of as ‘the right way to do things’ by many people.
Mo related a lot of his past experience from teaching English abroad to teaching security within a company. And when you think about it, from the point of view of a lot of our co-workers outside of security, we really do speak a different language in our little club. So maybe it’s worth taking some time out as you develop training to talk to your users in order to find out how they’d like to be taught. It might be interesting to see how that changes your effectiveness.