Cybersecurity Training and Governance Overview

UT DALLAS: Information Technology Cybersecurity - ITSS 4361

Agenda

• Learning Objectives

• Security Education / Training / Awareness Programs

Cybersecurity Training Programs

Differences between Training, Education & Development

• Training:

  • Definition: Short-term, task-oriented activity.

  • Focus: Achieving a change in attitude, skills, and knowledge in a specific area.

  • Relation: Primarily job-related.

• Education:

  • Definition: A lifetime investment.

  • Focus: Initiated by individuals based on their interests.

• Development:

  • Definition: A long-term investment in human resources.

What Gives Value to an Organization?

• People: Fundamental asset of an organization.

• Other Assets:

  • Financial Assets

  • Physical Assets

  • Proprietary Assets

  • Intangible Assets

3 Reasons to Consider Ongoing Development

1. Employee Turnover: Importance of a development plan for new employees.

2. Career Plateaus: Need for educational and training programs to assist employees at this stage.

3. Employee Obsolescence / Outdated Skills:

   • Causes: Technical advancements, cultural changes, new systems, computerization.

   • Purpose: Risk mitigation.

Why the Emphasis on Training?

• Maintains Qualified Assets: Ensures qualified personnel are up to date.

• Achieves High Service Standards: Training elevates service levels.

• Provides Information for Newcomers: Essential guidance for new employees.

• Refreshes Memory of Tenured Employees: Keeps experienced staff updated.

• Achieves Learning about New Technologies: Ensures employees are familiar with new products or service delivery methods.

• Reduces Mistakes: Minimizes operational costs related to errors.

• Opportunity for Feedback: Allows for staff input and suggestions for improvements.

• Improves Communication & Relationships: Fosters better teamwork and collaboration.

Developing a Cybersecurity Training Program

1. Who: Target audience identification.

2. When: Timing of training sessions.

3. Why: Purpose of training.

4. How: Methodology and instructional methods.

5. Frequently: Program frequency.

Five Principles of Learning

1. Participation: Involve trainees actively, emphasizing learning by doing.

2. Repetition: Reinforce ideas and concepts to aid retention.

3. Relatability: Ensure material is meaningful and relevant to the real world.

4. Relevance: Use simulations to ground material in practical applications.

5. Feedback: Solicit trainee input and adjust methods accordingly.

Nine Steps in the Training Process

1. Assessing training needs: Evaluate current needs based on external and internal feedback.

2. Preparing training plan: Define long, medium, or short-term goals.

3. Specifying training objectives: Objectives must be specific and measurable to ensure clarity.

4. Designing the training program(s): Consider structure, duration, instructional method, and assessments.

5. Selecting instructional methods: Determine the best methods for instruction.

6. Completing the training plan: Finalize details including target audience and topic.

7. Implementing the training program: Execute the training according to the plan.

8. Evaluating the training: Assess the effectiveness and impact of the training.

9. Planning future training: Use evaluations to inform future training sessions.

Step 1: Assessing Training Needs

• Conduct a training needs analysis using:

  • External approach: Gathering insights from company, guests, or society.

  • Internal approach: Utilizing a staff opinion survey.

Step 2: Preparing Training Plan

• Plan duration considerations:

  • Long-term (5-10 years)

  • Medium-term (3-5 years)

  • Short-term (1 year)

• Utilize a holistic approach incorporating a calendar for tracking training activities.

Step 3: Specifying Training Objectives

• Characteristics of Effective Objectives: Must be specific & measurable.

• Need for clarity in what trainees should achieve (attitudes, skills, knowledge).

• Align with industry or organizational standards.

Step 4: Designing the Training Program(s)

• Consider key elements:

  1. Program duration

  2. Program structure

  3. Instruction methods

  4. Trainer qualifications

  5. Nature of trainees

  6. Support resources (materials, classroom)

  7. Training location and environment

  8. Assessment methods for learning and achievement

  9. Evaluation methods for the program itself

Step 5: Selecting Instructional Methods

• Various training methods include:

  • On-the-job training (OJT): Learning in the workplace setting.

  • Off-the-job training: In-house or external training sessions (classroom or consultancy).

  • Independent learning: Distance learning from books or notes.

  • Computer-assisted learning and Interactive-video training.

  • Video conferencing: Mimics classroom learning across locations.

  • Note: This is seen as a critical aspect of training design.

Step 6: Completing the Training Plan

• Key considerations for completion include:

  • Understanding the target group

  • Defining topic and specific tasks, skills, or attitudes

  • Choosing effective communication methods (direct vs. indirect)

  • Timing and breaks during training sessions

  • Location preference (away from the office?)

Step 7: Implementing the Training Program

• Essential considerations include:

  • Trainer qualifications and experience

  • Participant selection process

  • Creating comfortable environments (physical & psychological)

  • Trainer enthusiasm and communication skills

  • Establishing feedback mechanisms

  • Trainer preparedness.

Step 8: Evaluate the Training

• Three Levels of Evaluation:

  1. Immediate Feedback: Surveys or interviews immediately following training.

  2. Post-Training Test: Assessment of trainees applying skills on the job.

  3. Post-Training Appraisals: Evaluations conducted by supervisors after the training.

Step 9: Planning Future Training

• Final stage includes modifying programs based on evaluations to optimize for future sessions:

  • Maintaining successful components while incorporating suggested improvements.

  • Adjusting training strategies for different audiences even with similar topics.

Useful Tools in Training Cybersecurity

• Self-Service: End-user content portals and WikiSites.

• Documentation: Relevant guidance and procedures.

• Facilitated Mandatory Compliance: Ensuring adherence to regulations.

• Threat Detection and Analysis: Tools for identifying security threats.

• Ongoing Support and Security Awareness Programs: Continuing education initiatives.

In Summary: Training Programs

• Investment in personnel is paramount.

• Results in Risk Mitigation: Reduction in risks pertaining to human capital.

• Promotes growth in Cybersecurity Governance: Driving strategy and vision while improving security and minimizing risks.

Governance Summary

What is Information Security Governance?

• Definition: Leadership-driven oversight focusing on the efficacy and cost-effectiveness of security measures protecting data environments.

• Processes: Implementation of practices determined by leadership intent to protect organizational data.

Senior Leader Responsibilities

• Provide strategic direction and ensure objectives are met.

• Manage organizational risks appropriately, ensuring resource utilization is responsible and optimal.

Governance Culture

• Directing and controlling organizations to foster a culture of security within conduct (beliefs, behaviors, capabilities).

• Emphasizes the necessity of adequate security as a fundamental business requirement.

Functions of Governance

• Strategic Direction: Establish vision/mission, operational policies, and guidelines.

• Effective Leadership: Optimize financial, human, social, and technological resources.

• Continuous monitoring to rectify governance arrangements and adapt as needed.

Governance Activities

• Establish organizational structure with defined roles & responsibilities, ensuring segregation of duties.

• Inventory technology assets and determine standards/compliance requirements, leading to an Information Security Strategy.

Integration Activities

• Categorize assets by risk level and potential harm.

• Conduct risk assessments and select security controls aligned with performance indicators from best practices.

• Develop plans for incident response, crisis communications, and business continuity.

• Resulting in an Information Security Plan.

Implementation Activities

• Develop and execute security implementation & training plans while enforcing policies.

• Importance of testing controls and making corrections as necessary.

• Aim: Result in an implemented Information Security Plan.

Capital Planning, Reviews, Audits

• Evaluate the security business case, return on investment (ROI), and funding.

• Perform formal reviews and audits ensuring the sustainability of the information security program, providing confidence in protective measures.

How Mature Are Your Processes?

• Most organizations conduct some governance regarding operational risks (including security).

• However, processes may not be suitable for effectively achieving business objectives.

Increasing Levels of Competency

• Actively Managed and Controlled

• Cultural

• Planned

• Formal Process

• Partial Process

• Event-Driven

• No Process

Holistic Cybersecurity Governance Program

• Includes:

  • Governance Program Quality Assurance / Quality Control

  • Adherence to legal regulations and risk standards

  • Audits, education and socialization processes, adherence, and oversight

Barriers to Effective Governance

• Common issues include:

  • Ineffective leadership

  • Lack of commitment to vision, mission, and values

  • Unclear definitions of roles and responsibilities

  • Inadequate clarity on management and stakeholder roles

  • Ineffective operational adherence

  • Lack of training

In Summary: Security Governance

• Key Roles:

  • Set information security vision

  • Establish strategy

  • Engage experienced personnel/advisors

  • Ongoing improvements to enhance security and reduce risks.