Seven criteria for selecting safety awareness training service providersPosted by McNeil Deleon on February 13th, 2021 in 2020, as the epidemic situation accelerates the scale and normalization of world wide telecommuting, enterprise attacks will be magnified geometrically, and social work attacks and phishing attacks will increase sharply. Iam, endpoint security and network security awareness training are becoming the fastest growing "hot money" network security services and products / services. In line with the survey of gosecurity (the figure below), network security awareness training may be the most reliable security product / service in the eyes of enterprise security managers, nonetheless it accounts for the cheapest proportion (less than 10%) of the general security expenditure of the enterprise. Good network security awareness training can turn "human vulnerability" in to "human flesh Great Wall", and turn the weakest short board in to the strongest defense line. For that reason it's the "rigid demand service" with the highest cost performance and can quickly enhance the network security resilience of enterprises. For Iam and endpoint security services and products, you will find mature evaluation tools and methods available in the market. But for the network security awareness training service, that used to be very marginalized and ignored, many enterprise security managers still haven't any specific selection methods and standards. Actually , network security training is a really systematic and professional service. Many enterprises count on internal training teams, but more enterprises turn to external suppliers for help. As the security threat situation is developing so fast, the best way is to give it to experts who master the most recent trends. However , it is necessary to find a safety awareness training with matching ability, trustworthiness and long-term cooperationPartners aren't easy. Here, we summarize the seven key attributes of excellent network security awareness training service providers. 1 . Compatibility with enterprise security axioms according to Charlie Lewis, an expert assistant partner of McKinsey and company, a management consulting firm, the key to long-term success of security awareness training is always to locate a provider that meets your organization's security needs, policies and goals. Before contacting suppliers, it is crucial to conduct some internal research. "Security awareness training products must be an integral part of a great network security culture, network security awareness and security change management plan, " he explained. These three factors are also the main element conditions for the choice and successful implementation of safety awareness training. " Lewis, a former assistant professor of political science at the U. S. military university and the creator of the U. S. Army's network leadership education program, suggested an internal consensus is required to select a security awareness company. "It's very important to security managers to work well with front-line employees and business leaders to see whether a particular security awareness service meets their needs and interests, " he said Ensures the proper products and services are opted for. " 2. Engagement Jo Stewart Rattray, founding chairman of ISACA women's leadership advisory committee and chief information security officer of silver chain group, an Australian family health and advanced level care providerIt is believed that the safety awareness training must match with the enterprise culture and the power of employees, and improve the participation of employees. "It's hard to achieve success with the same sort of training, " she says. Working out must be adapted to the enterprise and its own preferred learning style. " Dan Callahan, director of on line training at Capgemini The united states, a business consulting firm, highlights that understanding the audience's ability level is essential to provide effective and targeted training. "Some of the training is remedial and driven by simplistic content, ignoring differences in employee roles and safety skills, " he said "The content of safety awareness training should closely follow the safety situation, and the relevance with the customer's corporate culture is also very important. " 3. Pertinence of training content according to Sharon Chand, head of risk and financial adviser of Deloitte's network and strategic risk department, safety awareness training must be targeted. "For example, the awareness training methods utilized by internal staff and executives might be not the same as those utilized by contractors or third-party suppliers. ". Similarly, the strategy of training privileged get access to it staff is very not the same as it of oilfield operation technical staff. "We've found that customizing safety awareness training for a distinctive audience can greatly improve efficiency, " she said Greg touhill, former chief information security officer of the federal government, President of appgate federal, a network security company, and part-time faculty of Heinz School of information systems and public policy at Carnegie Mellon UniversityTo determine the worthiness of the content of cyber security awareness training, there's nothing a lot better than a real assessment, he said. "I enjoy the form of trial, where the selection committee consists of random employees to take part in it program of the bidding manufacturer and execute trial to assess whether their abilities meet up with the requirements, " he said 4. Perfect training content to meet up the needs of diversified labor force in contrast to small companies with employees in concentrated areas, large enterprises with employees in regions or continents often face a larger range of localization threats. Touhill said he would always focus on the security awareness training tool, which is highly relevant to the whole team in terms of attack prevention and usability, wherever it is located. "We have employees in lots of non-native English speaking countries, " he said "Therefore, I attach great importance to the multilingual and cross regional coverage of safety awareness services and products. " 5. Support threat modeling integration most enterprises use some kind of threat model to identify, confirm and handle network threats. Touhill recommends awareness training products that use threat modeling. "For example, if a particular national hacker organization or cyber criminal gang is spying on my intellectual property rights, I'd like my security awareness training curriculum to be targeted and help my team understand how to cope with threats properly. " Threat modeling is usually regarded as a pure technical category, in fact, additionally, it may cover business interests and business demands. "It's important to determine what you want your company audience to consider, " Callahan saidTypes of fully conscious information Because oftentimes, internal threats will be the biggest problem. " "Good network awareness training will help prevent and mitigate most threats. " Lewis believes that it's essential for security awareness training companies to know how network threats directly affect the security training of business personnel. "Threat modeling is an integral aspect in the successful implementation of the security awareness training course, " he said 6. Reasonable price touhill implies that enterprise information director or security director should communicate more with peers to ascertain if the quotation of service provider is competitive. "The CISO community is unrivalled in sharing recommendations, " he said. The communication between cisos might help them quickly identify competitive company candidates. " According to Callahan, cisos must be cautious about providers who are trying to over sell their services or products: "nowadays, many companies are overloaded with training content and activities. " "Therefore, if an excessive amount of safety awareness training content or information is provided to employees, they'll certainly be overloaded and numb, " he warned 7. Capability to provide effective training Chand described: "driven by business expansion, cloud computing, artificial intelligence, machine learning, mobility and Internet of things, ecosystem globalization provides attackers with a better attack surface. Effective safety awareness training may be the simplest way to generally meet these challenges. " To gauge the potential effectiveness of a particular safety awareness training product or service, Stewart ratterIt is suggested that the key stakeholders, like the heads of hr and other relevant departments, ought to be included in the decision-making process. "When assessing the potential effectiveness of an item, it's important to use cross departmental collaboration and make sure that key stakeholders be involved in the decision-making process and decide to try the product where possible, " she said Lewis believes that the evidence of concept (POC) test is a wonderful way to test the effectiveness of security awareness training services in reality: "as time goes on, you may begin to see phased training results, such as the decline of malicious link click on through rate. " "You will have to measure this metric through the entire proof concept and continuously measure the product. " If the merchandise or service does not meet expectations, please inform the supplier. "If the tool does not actually decrease the click through rate of phishing or the risk of human error, work with the service provider to regulate the training pace, of course, if all methods fail, search for other suppliers, " Lewis suggested It is an open task to guarantee the long-term effectiveness of safety awareness training techniques. The safety team must constantly take notice of the effectiveness of safety awareness training products. "A common method recognized to most security leaders is internal phishing testing, " Callahan said Another popular method is to spot check the office desktop of employees to see when there is any leakage of key or painful and sensitive information. isaca certification courses club spotoLike it? Share it! |