blog / Nov 14, 2017

A CISO Landmine: No Security Awareness Training

by Mike Levin, Center for Information Security Awareness

Mike Levin

In 2007, Michael Levin retired from the United States Department of Homeland Security after a distinguished thirty-year career in law enforcement. Michael served at the Department of Homeland Security as the Deputy Director of the National Cyber Security Division. Michael previously served as the Branch Chief of the U.S. Secret Service Electronic Crimes Task Force program in Washington DC. Michael was a member of the Secret Service Electronic Crimes Special Agent program and worked around computer forensics and cybercrime investigations for over fifteen years. After this distinguished career and seeing the need, Michael founded the Center for Information Security Awareness. The CFISA (cfisa.org) brought together a group of leading academics, security and fraud experts to explore ways to increase security awareness among many audiences, including consumers, employees, businesses and law enforcement.


Executives are slowly but surely recognizing the ramifications of providing the wrong answer when asked the questions: “Prior to the breach, did we train our employees in the acceptable use of company assets? Did we train them about what they could and could not do?”

Do you work for a company that requires employees to sign an annual “acceptable use” policy statement? Many companies fail to provide the training and/or to enforce the policies associated with one of the largest vulnerabilities of a business.

While working for the US Secret Service in 1991, I was one of the primary investigators involved with a major cyber breach of a large corporation. Secret Service and FBI investigators were sitting in a large corporate conference room with the president, CEO, CISO, and a group of corporate attorneys. On the phone was a host of IT managers and others.

One of the IT managers responsible for the server that was breached insisted that this incident was a “major brute force hack.” It didn’t take long, however, for the law enforcement investigators in the room to discover that the admin default passwords left on the server were actually the cause of the hack.

Fast forward 26 years to the Equifax hack, and we have very similar issues, with best practices not being followed, trained, and enforced!

As an executive, do you still have the attitude, “My employees should just be focused on their jobs and performing their tasks, not taking security awareness training or learning about the latest risks”?

CISOs Haven’t Fully Embraced Security Awareness Training

A recent F5 and Ponemon report, “The Evolving Role of CISOs and their Importance to the Business,” shows that CISOs aren’t fully taking advantage of the power of security awareness training. Let me outline a few relevant findings:

  • Only 40% of surveyed CISOs include security awareness training as part of new employee on-boarding.
  • Just slightly more than half (51%) have a formal security training program in place for employees.
  • Nearly a quarter (24%) rely on informal and on-the-job training to teach employees security processes.
  • Just 62% of CISOs are doing security awareness training at all.
  • Only 8% of the security budget is dedicated to security training.

This report makes it clear that most security executives don’t realize that just one serious security incident or data breach could destroy the growth and profitability of their companies. It’s more important than ever that every company incorporate enterprise-wide IT security strategy with their mission and goals.

How to Avoid the Landmine: Implement Security Awareness Training

We hear a lot about the “human firewall” and other concepts that imply we can somehow just patch our employees into fixing this problem. Throwing policies and procedures at the problem will not eliminate our growing vulnerability.

Frequently, IT managers convince C-suite executives to spend the IT budget on hardware and software security solutions. They totally ignore the fact that many employees are clicking on every email, link, and attachment they receive. Not training your employees on what they can and cannot do is no longer an option for any enterprise.

I have been training employees for over 10 years in security awareness best practices. I have spoken with thousands of employees, and a few things are clear:

  1. Employees want to know how to protect themselves and their families.
  2. Employees frequently don’t have any idea what they can and cannot do with company resources because there is insufficient training or reminders.
  3. Employees don’t want to be the one who screwed up and took down the company’s system.

Security awareness training is not overly complicated. It just needs to ensure that all three of these concerns are integrated into the training to achieve employee buy-in and participation.

Final Thoughts

We can no longer use the excuse, “We don’t have budget, time, or resources to train our employees.” All executives who are responsible for the success of your organization must recognize the need for all employees to participate in the safety and security of the business.

Security awareness training that achieves employee buy-in and participation will dramatically reduce business vulnerabilities, and the return on investment will far exceed all other IT expenditures.

Security awareness training has become a required part of security best practices that must be implemented on a recurring basis.

Making the decision to hire an external service to conduct necessary security training is an easy solution to ensure your employees do not put your business and assets at risk.


To read more from Michael Levin, please visit The Center for Information Security Awareness blog at cfisa.org/security-blog.html.

MODIFIED: Dec 13, 2017

Tags: , , ,
stay up to date

Get the latest application threat intelligence from F5 Labs.

There was an error signing up.
Thank you, your email address has been signed up.

Follow us on social media.