Security is hard.
You can have entire departments dedicated to protecting your organization from attackers, locking down all their applications with industry-standard best practices and defending against constant threats. Defending the company is a never-ending task; you’re constantly on alert. But an attacker only has to get through once. Just once. And they’ll inevitably get in via whatever is the weakest link — which, unfortunately, usually are the humans on your staff.
You can throw as many security engineers at the problem as you want, but the fact is that the best holistic defense against attackers is to have everybody in your organization well trained against the most common security threats. When your entire staff has the basic training of a security engineer, things get much easier.
But like security, security training is also hard.
Throughout my career, I’ve participated in many types of mandatory security training. Most involved logging into a website and spending two hours watching videos of several contrived and cringe-worthy role-playing scenarios.
Then I was forced to answer a set of multiple-choice questions. The kicker? I got an unlimited number of attempts to get the right answer. Not surprisingly, I haven’t yet met anyone who came away from such training feeling like their time was well spent and that they had learned anything, much less anything useful.
Even so, I can understand why these types of training are common throughout the industry: They don’t require much upfront investment and make it easy for companies to track participation for compliance reasons. But while they may tick the compliance checkbox, the security posture of your company isn’t being improved if your employees aren’t learning anything.
Security Training at PagerDuty
We wanted to do things differently at PagerDuty, so we decided to build our own security training courses instead. Rather than follow the usual security training programs and giving employees a bunch of rules they need to follow, we instead focused on teaching our staff how attackers think. Put simply, we found that showing is better than telling.
We built our training on a few key principles, but we ultimately just wanted people to pay attention without feeling like it was a chore and to leave feeling like their time was well spent and that they actually learned something new. (For more details on our principles and the results of our training, check out “Our Approach to Employee Security Training.”)
The principles we worked with were:
- Teach the why, not just the what;
- Don’t shy away from technical details;
- Make it accessible for any skill level;
- It’s okay to be funny.
As a quick example of how we applied those principles, let’s take a look at passwords. Most security training and other articles out there will tell you that you should always choose long random passwords and never share them with anyone.
But how many training courses teach you how to crack passwords? That’s the approach we took — and we found that showing our audience just how easily attackers can break passwords had a much larger impact than just telling our staff to pick “good” passwords.
After the training, most of our fellow employees gave us comments about how eye-opening it was to see how easily passwords are cracked — but we knew training was really a success when many of them switched to using password managers for all their passwords shortly after.
Another example: As an employee, one of the most-dreaded emails to arrive in your inbox isn’t a sophisticated phishing attempt; it’s an invite to a mandatory 90-minute meeting called “Security Training for Everyone.” Just reading the subject of the email is enough to make people’s eyes glaze over due to their preconceived notions of what security training normally entails within the industry.
While sending such an email is inevitable, we wanted to show our fun side and allay any concerns that this would be a normal, boring training. So we made some fake movie posters and hung them around our offices because adding a bit of fun builds up enthusiasm for the training, which means folks are more likely to pay attention.
You’re probably thinking, “This is great and all, but why are you telling me all of this? How does this affect me?” Well, unlike most other organizations that prefer to keep their internal security training private because they fear letting attackers know how they train their staff, we’ve taken a different approach at PagerDuty.
Just like with our incident response documentation, we see great benefits in sharing our internal practices with the community at large. So, not only is our internal security incident response guide open-sourced, but we’ve done the same with our security training, too.
All of our security training materials are free for anyone to use. The source is available on GitHub, and it can be viewed on a pre-made website just like our incident response training. We have two training courses: one for everyone on our staff, and another geared towards engineers. Even though the engineering one is a bit more technical, all our employees are encouraged to take it — however, we don’t make it mandatory for non-engineers.
But even with all our training materials and guidelines, the fact is that security is still hard. While developing engaging training materials is crucial, it’s never going to guarantee 100 percent security (top tip: nothing will).
Our training received rave reviews and constant comments on how different and more fun it was than other companies’ offerings. But you can’t just throw the training at people and call it a day. Continuous training is important, whether it’s updating your staff on some of the latest phishing attacks you’ve seen and the key indicators or enjoying security awareness month by planting various devices with flashing lights around the office to see if anyone reports them.
Defending the company is still a never-ending task — but having a well-trained staff definitely makes it easier.
Curious to learn more? Check out the training for yourself.
Feature image via Pixabay.