The critical equation in data and information security is often cited
as “People + Process + Technology.” The “technology” factor of the
equation is rarely contested, and most will agree that “people” and
“process” are equally important. Yet often emphasis is more highly
placed on having the latest technology. Process is certainly
important, but unless there is buy-in from the people that must
follow that process it does little good. In fact, one might argue
that of the three variables in play, the people are in fact the most
important. Everyday people are called upon to use discretion and
judgment in the application of corporate policies and processes.
Without proper education and training, employees are unable to make
informed decisions. In order to augment existing security and
privacy practices, many companies are beginning to embark upon
employee training to ensure that they can create a culture of
security and privacy.
It is a common refrain of mine to say that security and privacy are
everyone’s responsibility, yet too often it is relegated to the
domain of compliance officers or IT security groups. The result is
that employees that interact on a daily basis with sensitive data
often have little or no training on how to protect that data. When a
breach occurs, that leaves companies to point out that, though it may
not have been followed in this case, they did have a published
information security policy. Often these same companies are at a
loss to explain why, if such a policy existed, it was not being
followed. The answer is often alarmingly simple: lack of training.
Some companies may be reluctant to train employees that seemingly
have little or no interaction with the data. This is roughly
equivalent to saying that a cardiologist does not need to be familiar
with the respiratory function. After all, they specialize in the
circulatory system, not the respiratory system. The largest
challenge facing companies with respect to the training requirement
is simply making it relevant to the employees in question. At the
end of the day the entire company, not just certain departments, is
responsible for the protection of cardholder data. Therefore the
entire company should be familiar with the requirements and their
responsibility to it.
Everyone is by now familiar with the Payment Card Industry Data
Security Standard (PCI-DSS). Among its myriad requirements is a
mandate that all employees be trained on the standard and the
“importance of cardholder data security.” This requirement seems to
be fairly straightforward. It requires that employees be trained
upon hire and at least annually on the standard and the importance of
securing cardholder data. Since this requirement appears to be an
easy one with which to comply, many companies tend to gloss over the
training requirements. This requirement, though, can be a tricky one.
Training can often be mistaken for a very rudimentary function, yet
in order for the training to be effective and defensible (this is
extremely important if continued employment is dependent upon
successful completion of the training), it must adhere to certain
accepted practices of adult learning. A major tenet of adult
education is that it be timely and relevant to the job at hand. This
leads to the first major hurdle in providing training to each
employee. Many companies seek to meet the training requirement by
providing annual seminar-type training for all employees.
Unfortunately, by doing this companies are selling themselves short.
For example, it would not do to give the Human Resources department
the same training received by the Information Security group. The
levels of familiarity with information security principles is widely
different between the two groups and holding the HR group responsible
for the same level of data security knowledge as the IS group is
neither fair nor a legally defensible position. In order to ensure
that all employees are familiar with their particular responsibility
to the data, the training needs to be relevant to their job function.
As a fan of analogies, one might liken the situation to putting a
sixteen year old behind the controls of an F-16 and telling him or
her to fly. It is a recipe for disaster. The person behind the
controls has no familiarity with the system, what each of the
buttons, levers, pedals and other equipment do, so how can they be
expected to make sense of the cockpit. Similarly, leaving the
security and privacy of your customers’ data up under the purview of
employees that have at best an incomplete understanding of how to
protect data will expose the company to a very real risk for
compromise. Without proper training, employees cannot be expected to
inherently understand the definition of sensitive data and the proper
methodologies to be employed in the protection of that data.
Further, as mentioned earlier, if companies are predicating continued
employment on successful completion of the training, the training
provided must be objective, measurable and relevant to their job
requirements. In adult education, this is commonly referred to as
the M.O.S.T. principle – Measurable, Objective, Standards-based, and
Testable. In other words, the training cannot simply consist of
distributing a copy of the policy in conjunction with the PCI-DSS
standard. Not only would such a method be difficult to justify
legally, but it would do the company little good with respect to
creating a culture in which data security is a principle, not simply
a buzzword.
If a company currently has a training department in house, they may
have already developed a training pedagogy that will help them
provide consistent, applicable, relevant and timely training. In
addition, the training process itself should come under review
periodically. In fact, the last element of any training program
should be a self-assessment to ensure that the training was conducted
properly and that any necessary adjustments are made prior to re-
presenting the course. If however, the organization does not have a
training function in-house, it may choose to look for a third party
to assist with the training function.
In choosing a third-party to assist in the training function, there
are a number of things that should be considered. Firstly,
experience with the subject matter is paramount. Data security and
the PCI-DSS are extremely complex subjects. Training should be
conducted by individuals or organizations with significant experience
in both. Secondly, a comprehensive training methodology, or
pedagogy, should be in place. Training should not be an ad hoc
affair, rather the result of careful development to ensure maximum
effectiveness.
Among the most important traits in selecting an outside trainer is
flexibility. Every organization is going to have different training
needs and areas of focus. While some information to be presented may
remain consistent from organization to organization, there will
always be some customization involved. One must question why a
trainer would be unwilling to adapt the content to the needs of the
specific organization. Is it because they don’t have the depth of
experience and knowledge necessary to adapt? Or is it because they
don’t see the training as being a critical component of security -
simply a check in the box?
Herbert Spencer, an English philosopher and political theorist, once
said, “The great aim of education is not knowledge, but action.”
This has particular relevance to training employees on data
security. It is important to keep in mind that when educating one’s
employees on data security and privacy principles, it is not with the
aim of helping them accumulate knowledge. The ultimate purpose is to
help them make the right decisions and take the right actions, when
it comes to the protection of data.
|
