Let s Not Go There...

Let's Not Go There...

Like other forms of routine maintenance, security training doesn't have a lot of glamour. However, it is every bit as important in the long run as checking your brakes or changing the oil in your car. By ignoring this fact, InterMint nearly ended up as road kill on the information highway.

Here's what they should have done instead.

Educate Executive Management

If management sends the message that they don't really care about security, the majority of the company is likely to follow suit. Management must make sure that the proper security classes are available for all levels and that means executive management too.

Even though all managers should be required to take security training, sometimes you just can't force that issue. At the very least, however, the top managers need to know why security is important.

The reason is simple. Few executive managers will allocate funding for something without understanding why it's important. They need to understand the risk. Think about it. Would you buy earthquake insurance for your home if you lived in West Bend, Indiana? Probably not. Would you buy that insurance if your house perched atop the San Andreas Fault in California? The answer is "yes" (unless you're really stupid), because you understand the risk. It's been my experience that managers who understand the risks are more likely to write the checks for training.

Protect the Security Training Budget

Don't let security training be the first thing to go in a tight budget year. You'll pay for it later. The security you build today is required to keep everything else together. You wouldn't throw all your funds into new-product R&D and then not bother locking the doors to the labs, would you? Of course not. Yet, leaving your corporate networks open can have very much the same effect.

Make Security a Management Requirement

Some managers move from career opportunity to career opportunity. That is, they jump from bonus to bonus. To keep those bonus checks coming, those managers need to achieve their preset goals. To help ensure that security isn't overlooked by managers passing through, make providing the security a management goal. Even better, tie achievement of that goal to your bonus plan.

When the CEO system at InterMint was broken into, it suddenly became some manager's goal to fix that problem. However, having one manager own a security goal won't make much of a difference unless the rest of the management chain is also responsible. If Smita's manager had been given a goal regarding security, I'm sure I would have had a harder time breaking into the systems on the trading-room floor.

Make Training a System Administrator Requirement

System administrators are extremely busy people. It's incredibly easy for a system administrator to make general plans to obtain training and then realize that a year's gone past with nothing done.

Often, system administrators are just too busy to leave their networks or customers. Don't make it impossible for a system administrator to leave for the week. For example, Tia shouldn't feel that if she leaves for the week her entire network will crash, or that the resulting mess will simply await her return. Instead, her manager should arrange to have someone take responsibility for her territory while she's in class. You can't expect your people to spend a full day in training and then another six hours keeping the users happy. System administrators are likely to skip training if they see it as an extra burden added to all the other work already scheduled for the day. Honestly, would you want to take a class under those conditions?

To ensure that your company's system administrators actually get to the training they need, make taking that training a performance goal.

Attend Security Seminars

Security seminars are a great place to network and obtain information often hard to get elsewhere. Select some of the top security seminars for your system administrators to attend (such as SANS and USENIX). Since you probably can't send everyone, send one person per conference and make that person responsible for sharing what he or she learns. If possible, have that person give a formal presentation shortly after the seminar.

For those of you who already have a good handle on security, offer your services to speak at security conferences.

Have Brown-Bag Lunches

Most of us are sorely pressed for time. If you're trying to squeeze training into an overly busy schedule, remember that nearly everybody eats! Try holding a monthly or quarterly presentation during the lunch hour. Select important security topics and schedule internal and external speakers to cover the material. This is a good way to keep your system administrators up-to-date on important security issues, and it makes effective use of valuable time.

Disseminate Security Information

Don't send everyone scrambling to keep up at the same time. Put one person in charge of keeping up-to-date and transferring information to the rest of the team about security bugs, patches, new vulnerabilities, products, and so on.

Don't be shy about providing a good title and some extra cash to that person. Many people are driven by passion, but even then, money doesn't hurt. Anyone who keeps your team well informed should be compensated.

Don't overlook the importance of shared information. Some people like to hold onto information, remembering the old maxim, "Information is power." I personally find those people to be insecure. But there are a lot of them out there. Keep that in mind as you strive to keep security facts flowing through your company.

Join Security Lists

It's important to know when a new security bug hits the Internet. If your support staff isn't kept abreast of the new security holes and problems, the hackers will be a few steps ahead of them. Make sure your system administrators are leading the information pack instead of being trampled by it. Security aliases can help keep them informed.

Write White Papers

I know a lot of really smart system administrators. If you're one of those people, share your expertise with others. White papers are a great way to do that.

White papers will also give you a higher visibility outside your company. That sends a positive message to the world about your company's commitment to technology and information sharing.

Write for Newsletters

There are plenty of security journals, magazines, and newsletters that are looking for good material. If you have a story to tell about support, products, tools, and the like, share that information with others. It's a great way to hit a large audience.

Develop Tools into Products

If you are developing tools to support security in your environment, consider having your company turn them into products, or give them away on the Internet for free. You might be creating tools that other people can use too.

Checklist

Use this checklist to determine how your company is faring in the training department. Can you mark a "Yes" beside each item?

___ Do all managers (from the top down) voice a corporate commitment to security?

___ Do they back up that commitment with funding for security training?

___ Is there a mandatory training program for system administrators?

___ Does that training program include details on configuring and supporting security?

___ Do security training policies exist?

___ Are they thorough, current, and widely known?

___ Are all employees including executive managers trained on their security responsibilities for the company?

___ Does a framework exist for developing and continuing security awareness?