Security training programs are boring. I don’t have the statistics to support this claim but surely there are other things that employees have to do or are rather interested in than attend a one hour session instructing them on security policies and best practices! Think about a security professional sitting in an accounting training class. It is done because it has to be done with varied level of interest, mostly low.
And the aim of a training program, albeit any presentation is to engage the audience and deliver a message that sticks, preferably for a long period of time. Going through slide after slide of bullet points is just another presentation that the audience will never remember.
I recently delivered a PCI training session to a few DBAs. The slide deck was ready to take them through the whole nine yards of PCI DSS, ensure that they understood what it meant and that it has 12 requirements they should be aware of. Having sat in their chairs before, I thought maybe there is a better way of delivering it to make the training more interesting. An impromptu decision, I thought a real story is always a great start.
So I decided to tell them the story about one particular individual named Albert Gonzalez. Now, he should’ve been classed as one big APT by looking at number of ‘results’ he had under his belt! :) His was more of a joint effort but the story of several breaches he led sticks, and it sticks well. The events are also directly/indirectly responsible for the onus on QSAs to store evidence while performing an assessment. I’m sure many of the QSAs don’t like Mr Gonzalez for that but I must thank him for providing such an entertaining story for my audience.
I didn’t have this transcript during the training but the conversation excerpt is a good insight into one of the many threats the standard aims to protect against. I must mention that A Gonzalez bought a 0-day but let’s not go there.
This also is the key approach in Security - realise the threats.
Once a good DBA knows what is the threat and what is being protected, it usually helps them understand the rationale behind the rigor of controls, their responsibilities and help watch out for suspicious events better.
Chances are, it may help them avoid installing the Facebook Dislike Button!
No comments:
Post a Comment