@ISACA Volume 16  8 August 2018

Tips on Training


Earlier this year, I was asked to travel and evaluate a training course. Fifteen minutes into the actual training course, it was apparent that the presentation was not truly training. It was something, but it was not training. When I reported this to management, they were curious as to why I did not think the course was training. I explained that the process of exchanging knowledge and information among people is usually performed at various levels of detail and various dimensions. Even though the course included a demonstration followed by user free-play, it was not training. I understand that windowing technology makes the look and feel of the user interface standard; however, the mechanics of manipulating the windows and buttons as it relates to data to complete a business process needs to be understood. In a security program, the hierarchy of learning is broken down into education, training, awareness and orientation. Here is a quick discussion of the differences and why all levels of information exchange should be included in your security training program:

  • Education—Provides a depth of knowledge that allows a person to understand why something was done a certain way. It also prepares the individual to facilitate change.
  • Training—Provides a depth of understanding on the mechanics of how to use something or conduct activities. It is focused on a specific subject, business process or system.
  • Awareness—Provides familiarity with a subject. It may provide insight into new subjects or changes to existing subjects on which users were previously trained. It can also be used to communicate responsibilities and repercussions of not fulfilling responsibilities within the organization.
  • Orientation—Is like awareness. It is often reserved for information exchange that provides familiarity of a subject in a new environment. A good example would be when one starts a new job or moves to a new geographic location with an existing organization.

Now, how to include these levels of knowledge and information exchange in the context of a security program is worth discussing. It is critical that each of these activities have defined objectives and that an understanding of how each activity contributes to the overall skill of an individual to perform a role within the program exists. These levels of knowledge and information exchange can be applied to a training plan:

  • Education is very expensive to provide as an organization. Even though the organization may provide educational assistance, it is easier to obtain the education required of staff through the hiring process. However, there are exceptions. Often, there are highly motivated employees who show a propensity for a role or skill set. Those employees can be grown and employed into new roles through education assistance and training. Internships are another way of obtaining an educated workforce while simultaneously training personnel for the jobs within an enterprise.
  • Training should go in depth about a subject or system. It will teach the student the mechanics of doing something. It should focus on the how, what and—sometimes for role-based systems—who. There are many articles concerning what should be in a training plan and an overall training program. The following items are what I specifically look for in a training event.
    • Training needs to be organized in a manner that allows for the student and the trainer to communicate the material in a concise manner. This means the 2 must agree on terminology. There are many incidents where the trainers and the trainees use the same words, but the connotation of what is being said is completely different.
    • Training should reinforce the similarities with other activities or systems that the trainees are familiar with using. This provides confidence to the trainee and reduces the fear of change by building on existing knowledge. This is the importance of going over windowing technology as it relates to the system and the various buttons, slides, pull-downs, etc.
    • Training should also explain algorithms at a level that can be understood by the targeted audience. It has been said that only a fool would use a tool that they do not understand. This is especially true when working with artificial intelligence (AI). Often, AI is viewed as an absolute value when all results are a study in statistical probability. The influences on those probabilities need to be understood if an individual is to trust the system to return predictable results.
    • Training should demonstrate an exchange of knowledge. This can be done by testing or resolving a scenario. Just provide some means to show the effectiveness of the training to the trainee. This could be kept within in the classroom or forwarded to management, if required. It helps to ensure the trainee has the necessary skills to perform the activities or use the system.
    • Finally, training should be complemented with quick reference guides, user manuals and training materials. These materials can be taken away and used as reference until the trainee is efficient at using the system.
  • Awareness, as its name implies, should provide familiarity on a subject. It should focus on making the employee knowledgeable about the existence of something and the reason it is important to the organization, but not necessarily why. When I conduct training, I try to make awareness fun. I have shown movie clips that represent important security requirements related to the topic on which I am conducting training. There are so many good and “that will never happen” examples of security concepts in movies. For example, a computer room with glass walls on the first floor of a building and a Humvee driving through it. Or spy movies in which everyone is shot and then an eyeball is removed and held up to a biometric reader to enter secure rooms. Building awareness with movies can be fun and really creates audience interaction.
  • Orientation is the simplest of information exchange. It is very similar to awareness but often is provided to solicit interest in each area or to inform that the area exists. This should be left to human resources to execute during the new employee indoctrination.

In the end, all levels of education are needed in a security training program. It is critical not to attempt to educate alone. It has been proven that training is preferred because the cost of education could outweigh its benefit. Training can even become expensive if not performed properly. It is critical to remember that the cost of curriculum development, documentation and labor to conduct the training needs to be weighed against the level of knowledge required to be efficient and effective when performing the organization’s business processes.

Bruce R. Wilkins, CISA, CRISC, CISM, CGEIT, CISSP, is the chief executive officer of TWM Associates Inc. In this capacity, Wilkins has the opportunity to provide his customers with secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.


Auditing Application Containers


Source: Paul Taylor;
Getty Images

Application virtualization allows the number of applications in the hosted environment to increase without a corresponding increase in the number of servers. Additionally, it allows applications to be segmented into more manageable sizes of data, meaning less storage space is physically required for the application. While cost savings and better application deployment are some application virtualization benefits, organizations are also embracing ways to implement change faster, and the challenge of maintaining consistency and reliability as software is migrated from one computing environment to another is exacerbated.

Application containers can be used to maintain consistency and reliability because they consist of the application and all of the application’s dependencies, such as libraries and configuration files. To help provide you assurance that application containers are mitigating application deployment risk, ISACA has released the Application Container Audit/Assurance Program. This program considers the preservation of data integrity through all phases of application containerization (planning, development, deployment, maintenance and destruction) and tests it in the following areas:

  • Risk analysis and management
  • Security awareness and training
  • Images
  • Registry
  • Orchestrator
  • Application security during development
  • Secure connections
  • Hardening
  • Container destruction

Conducting a formal assessment of the host operating system, network, container runtime and images of application containers including, but not limited to, Docker and Rocket, allows auditors to assist management in identifying where controls are working as intended and where areas for improvement exist. To download this audit program, visit the Application Container Audit/Assurance Program page of the ISACA website.


ISACA Security Podcast: Analyzing the Skills Gap in Cybersecurity


Source: Don Farrall;
Getty Images

ISACA’s monthly security podcast series will now be featuring interviews with Frank Downs, director and subject matter expert (SME) of cybersecurity practice at ISACA. Downs will share his insights on the latest security news, including breaches, vulnerabilities and changes in the security landscape. This podcast is available on the ISACA website, iTunes, Google Play or SoundCloud.

The most recent security podcast reflects on the state of cybersecurity, specifically, the skills gap we now face when looking for qualified cybersecurity professionals. Downs analyzes how to respond to the current skills gap, both by investing in enterprise cybersecurity training and cybersecurity training for your own personal career growth. He even offers advice on how to make cybersecurity training fun.

To listen to this podcast, visit the ISACA Podcast page of the ISACA website and subscribe to the ISACA Podcast on iTunes, Google Play or SoundCloud. You can also learn more about the state of cybersecurity by visiting the State of Cybersecurity page of the CSX website.


Discover the Cybersecurity Resource Center


Cybersecurity attacks only continue to increase, and the shortage of skilled technical professionals continues to grow exponentially alongside them. To provide you and your enterprise with the resources it needs to remain secure, ISACA's Cybersecurity Nexus™ (CSX) has introduced the Cybersecurity Resource Center. This new space offers a number of helpful, free resources and tools, such as white papers, ISACA Journal articles and State of Cybersecurity reports, that can help secure your enterprise and aid your personal growth as a cybersecurity professional.

CSX was created to provide practical, hands-on training and certification focused on real-world abilities in hopes of strengthening the industry as a whole. Its goal, for now and the future, is to build a stronger, more informed workforce that can keep organizations and their information secure.

To visit the Cybersecurity Resource Center visit its page on the CSX website.