How To Implement Role-Based Security Awareness Training
By: Larry Kinkaid, senior consultant, CISO Advisory
At every organization, different employees have different responsibilities. In order to be successful and do their job correctly, each employee needs to know different things about their responsibilities. You wouldn’t ask a sales executive to develop software, just like you wouldn’t ask your software developers to run HR processes.
This holds true when it comes to security training, too. According to the 2022 Verizon Data Breach Investigations Report (DBIR), 82% of data breaches have a human element. Because of this risk, effective security training is essential for every organization. Tailoring security training to each employee’s specific role and responsibilities can make security training more engaging and effective.
Role-based security awareness training is exactly what it sounds like. Since employees have unique responsibilities and interact with different systems and data in their role, they need to know different things about security. Simply educating a DevOps engineer on how to identify social engineering attacks isn’t enough – they should also know how to apply security in each aspect of their day-to-day jobs.
How should organizations determine which roles need specific training? The first step is to identify any sensitive information within your organization. Next, identify the roles that interact with that sensitive information and use that information to determine who will need tailored or specific security training.
For many organizations, compliance requirements are an easy place to begin this process. While security training should never be a check-the-box exercise, compliance can help guide role-based security training. For example, if your organization processes, transmits, or stores protected health information, it must comply with HIPAA. Determine who interacts with that data and ensure they are trained to understand how to appropriately handle data under HIPAA.
Everyone who works from a computer and has an email account should undergo basic security training. Other roles to consider include:
- Developers: All developers should be trained in the preferred security standard based on the kinds of development activities. For example, the Open Web Application Security Project (OWASP) standard provides developers with the necessary controls and requirements for secure development.
- Accountants and Finance personnel: According to the DBIR, financial gain is the most common motive of threat actors involved in data breaches. Employees with access to financial information are likely to be the target of phishing attacks or other social engineering scams, and should be trained to recognize various threats.
- Human Resources (HR): HR employees typically have access to personal information for other employees and staff, including data like social security numbers, addresses, and other sensitive information. HR employees should be trained to understand why a threat actor may want access to HR accounts and how to avoid falling trap to social engineering scams.
- Privileged Access Users: Anyone with privileged access to systems, such as a system administrator, should receive tailored security training on how to ensure they’re keeping the systems they are responsible for secure. If an attacker were to gain access to a privileged user’s credentials, the attacker could potentially wreak havoc in a system by shutting it down, installing malware, and holding the system for ransom. This includes IT personnel who are responsible for maintaining the systems and devices that support the business objectives.
Some companies may have employees who don’t use a computer for work, and may not require basic IT security training. For those employees, figure out what IT exposure they do have, and give them a one pager outlining expectations and responsibilities. For example, a night janitor doesn’t need to undergo OWASP training, but they should have a basic understanding of other security risks, such as what to do in a situation where another employee left their work laptop unattended overnight and requirements for physical security at the organization’s facilities.
There are plenty of tools to help organizations implement role-based security training to varying degrees of cost and effectiveness. BARR’s partner Curricula has a free, basic security awareness training available to organizations of all sizes, and a number of more specific training episodes that can be used for role-based training such as privacy and HIPAA training.
Role-based security awareness training doesn’t need to be an expensive investment or tedious task for your employees. It can be as simple as starting a book club for developers who can on a bi-weekly or monthly basis to discuss educational books on secure development. At a minimum, employees should receive training appropriate to their role upon hire and annually thereafter. The goal is to be engaging and effective, not dull and time-consuming.
Measuring the effectiveness of role-based security training
Once role-based security training is implemented, how does your organization know if it’s successful? There are a few metrics for measuring the success of a training program, including the number of people that completed their training and the amount of time it takes for an employee to complete the training after onboarding.
Organizations can also measure the increase in security reports. When employees are reporting security issues or phishing emails, it actually shows the organization that security training is working.
Finally, security teams should also solicit feedback from their employees. Did they enjoy the training and feel empowered by it? How could it be improved? Real time feedback can help leadership determine any necessary changes to security awareness training.
Benefits of customized security training
Role-based security awareness training can be more effective than forcing all employees to undergo the same lengthy, boring training. Let’s take a look at some of the benefits organizations can expect after implementing role-based security training.
- Increased engagement: According to the DBIR, the majority of training took employees twice as long as they thought it would. The length of a training doesn’t equate to the value of the training. Role-based training makes security training more engaging by teaching employees what they need to know based on their roles.
- Better use of time and resources: It would be a waste of time and money for a marketing intern to undergo OWASP training. Instead, they should learn the basics of security training that is directly relevant to their role. Role-based security training treats each risk appropriately.
- Improve security culture: Role-based security awareness training shows your employees that security is important to your organization and empowers them with the education they need to mitigate security risks. It can help employees loosen up the dialogue around security, teaching them to not be afraid to admit security issues when they arise and the value of transparency.
Interested in learning more about role-based security awareness training? Speak with a BARR specialist today.
About the Author
As a senior consultant with BARR’s CISO Advisory, Larry Kinkaid supports the company’s growing CISO Advisory service offerings, specifically for small-to-medium sized companies in need of a virtual CISO (or CISO on retainer). He plans and executes various engagements including readiness assessments, policy and procedure documentation, vendor risk management assessments, and external audit assistance.