Who Should Be Able to Opt Out of Security Awareness training – and How

by Ian Palmer, researcher for InfoSec Institute, March 9, 2016

Brad Johnson is adamant that no one in an organization should be exempt from security awareness training. Not the CEO. Not the chief security officer. Nobody.

Johnson, the vice president of SystemExperts, says that making exceptions on the security awareness training front would only open companies up to a host of problems that otherwise might have been avoided.

“Who should be able to opt out of security awareness training? The simple answer is nobody,” says Johnson. “Yes, I said nobody. What about the chief security officer?  Nope. What about the director of IT management? Nope. And so on, and so on. Let’s ask this same kind of question in a different context. What NFL player should be able to opt out of practice? Should an NBA player be able to opt out of warm-ups?”

Johnson, who has participated in seminal industry initiatives including the Open Software Foundation, X/Open, and the IETF, is one of the many experts who insists on providing training without exceptions. Rather than considering who should be able to opt out of security awareness training, Johnson says that companies need to mull instead over what sort of training should be provided to employees.

While the experts believe that everyone from the top to the bottom of organizations need to take security awareness training, some believe that the trainers who lead out in such programs can potentially be exempted on account of their extensive knowledge base and expertise.

Background Stats

According to the 2015 US State of Cybercrime Survey, cyber security incidents are both increasing in number and becoming more and more destructive. Moreover, adversaries behind the attacks are investing not only in technologies but also in training their crews to attack with greater efficiency. If the bad actors believe in training, then so, too, should the companies that often find themselves on the receiving end of cyber attacks.

The study notes that businesses that invest in and implement new technologies to safeguard against cyber attacks, without updating processes and giving workers training, will probably fail to get the full value out of their spending. And while security awareness training is critical, only 50% of survey respondents acknowledge that they run periodic security awareness and training programs, and only 50% of respondents admit that they provide security awareness training to new hires.

To read the entire article in INFOSEC Institute, click here.