Fun and friends: critical success factors of security training


Fun and friends: critical success factors of security training

Be careful what you wish for. After years of campaigning to get information security on the board’s agenda, now its presence on there usually means something has gone, or is about to go, terribly wrong. By then, you’re in problem-solving mode, and all of your good intentions about elevating the security skills of all personnel are on hold.

By Joost Boele & Robbin van den Dobbelsteen

Are you resilient to cyber-attacks?

In an era where banks call themselves IT companies with banking licenses and the line between business and IT is fading, the success of your organization hinges upon the skill of your engineers. This is as true for your key business processes as it is for fending off attacks on them.

Are you confident your engineers produce code that is not only functional, but resilient to cyber-attacks? In our experience, just like builders are not trained to tear down buildings, software engineers are not taught hacking skills in college. That’s a shame, because besides being fun, teaching your programmers to think like attackers is also very cost-effective.

Everybody has seen those “agile cost of change curve” diagrams, which describe the relative cost of fixing defects in each state of the software development lifecycle. Security flaws are very similar: they are cheapest to fix when they are never there in the first place. Effective training bridges the gap between being an organization that is really good at facilitating its own business processes and being all that and secure too.

So, what is necessary to make this happen? Bluntly put: fun and friends.

Security skills

Being security professionals first and trainers on top of this, we have pretty much seen everything. We’ve trained (DevOps) engineers, security departments, defense and law enforcement agencies, executives and entire workforces. No level of security skill (or lack thereof) surprises us anymore, and we have found that the best way to make skills stick is to put them into practice in a safe and fun setting. A great example of this is our Hackazon platform, where security skills on all levels can be practiced in a realistic and engaging manner, and individual progress can be tracked.

When successful, security training has a side-effect: your security people will spend less time fixing the obvious, which gives them time to do the more complex things properly. Just ask them what they do on a daily basis, and compare that to what they should ideally be doing. Chances are they’ll volunteer to be trained as trainers during that very same conversation, which is the second key tenet of an effective training program: having your engineers make a friend in the security department.

Being visible and being perceived as a friendly business enabler are key success factors for your security people, and training their peers allows them to achieve this. Provided with the right tools, your engineers might (self-)organize into security champions or satellites, further taking the burden off your security officers and helping security become part of your organization’s DNA.

In other words, security training is about reducing cost and enabling business: the promise that originally got you on the board’s agenda.

More information

Want to learn more about your engineers learning more, or get a demo of Hackazon? Reach out. It will be the most cost-effective (and fun!) time you will spend on information security this week.

Vond u dit nuttig?