Despite the latest Ponemon study on data breaches revealing that training programmes are the number one control measure implemented following a data breach, many organisations can still struggle to implement the correct security training.
Generic training programmes are a big no no
A training programme paradigm used far too frequently is one where all employees are required to attend the same training.
This is rarely effective as an instructor will always cater for the level of expertise.
However, if those attending all have different levels of knowledge, those with previous experience are bored by a simple, heard-it-all-before course, or those who have little-to-no experience and/or low levels of knowledge get left behind.
To provide the most effective training experience, the course must be complementary to the role(s) of the attendees.
>See also: The 2016 cyber security roadmap
A heavy technical focus should be used for software developers and testers whereas more of a business focus should be taken for project managers.
Even training carried out to fit in with compliance (e.g. SOX, PCI, HIPAA) should be customised based on the role of the attendees.
Otherwise it is most likely going to be a waste of time.
Training needs to match the evolution of hackers
Training programmes often remain static year after year, yet software security is constantly evolving.
Therefore, it is important to ensure training offerings involving frameworks and languages that have not been updated within the last five years are still relevant.
Attackers are always evolving, even if the technology or practices being utilised are yet to change.
For example, attackers are beginning to use new methods and techniques, as well as pivoting on previously used attacks to break into legacy systems.
A big example of this is the data breach at software giant Oracle Corp, where a Russian cybercrime group breached computer systems in Oracle’s MICROS point-of-sale division.
When providing software security training, it is essential to include technical details of recent breaches where appropriate.
The MICROS example is recent and relevant and therefore a good example breach to include.
Even if the data breach is not specific to what they’re currently working on, or particularly knowledgeable on, students still find these discussions interesting.
The instructor needs to go above and beyond the Google search engine
In order to save money, technologists are sometimes asked to develop content that a professional trainer without a specific background in software development can use in their training sessions.
Instructors who simply reiterate information that his/her students could easily find through a Google search are simply a waste of time and money.
This is not to say that they are incompetent, but an instructor who can speak from experience is undoubtedly much more effective than one who will only relay information that could be found at the click of a button.
How to get funding for security training
When allocating a budget to software security training, putting emphasis on the potential cost of a data breach can help to obtain the necessary funding.
Ponemon, Forrester and others provide a vast amount of data on the cost of a data breach. Ponemon suggests that per stolen record there is an average cost of $221.
>See also: How secure is your boardroom data?
For industries like healthcare, life science, financial services, and transportation this per-record cost is much higher.
Getting priorities in line
According to Forrester, we are in the midst of a ‘golden age of hacking.’ If this is right, then there will be multiple ages of hacking in the very near future.
With the introduction of Internet of Things devices as well as cloud computing, hackers will keep adapting, new threats will arise, and the risk of attack will keep growing.
A big mistake organisations make is to wait until a data breach occurs before they properly invest in effective training programmes.
The best advice out there is make effective software security training a priority before a breach hits.
Sourced by Patrick Gallen, training program manager at Cigital