Listen in to this Information Security Media Group podcast to hear from the CISO at Investors Bank & Trust talk about what makes successful training programs work. Jeff Bardin has a wealth of experience in developing training programs for a wide range of organizations. Previously he held CIO and Director level positions at organizations such as Arabian Data Systems, Centers for Medicare & Medicaid, Lockheed Martin, General Electric, and Marriott International.

Bardin has performed HIPAA, GLBA and SOX assessments and support, documentation, certification and accreditation activities for government agencies with budgets more than $500 billion, over 1 billion in yearly transactions, and 6,000 employees in dozens locations nationwide. He has also authored several articles on information security, edited college textbooks, taught information security, IT governance and risk assessment methodology courses, and spoken at several industry conferences.

Listen as Bardin explains why awareness training should be required for everyone; why rewarding good behavior is a must; what other training financial institutions should focus on - AML, GLBA, and privacy issues; why more training on social engineering is vital.

Bardin discusses the challenge of training your employees, and getting them to put the training into their everyday work, and how to get them to take it seriously; he'll also describe why senior level support is needed in security awareness training, and what it takes to make security a core value in an institution.

Excerpt

RICHARD SWART: Are there particular topics that a manager of security at a financial institution should focus on when developing their training programs?

JEFF BARDIN: Financial institutions definitely should focus on anti-money laundering and fraud type training as well as Gramm-Leach Bliley training. They're definitely two that must be trained upon and tested. We do that. In addition, there are others that we've expanded into on privacy areas, performing risk assessment, building security into systems development life cycle, a little more technically focused, talking about how to build meaningful metrics that expands within a security area and privacy and compliance. We've also held brown bag lunches around CISSP training for more technical staff as well. One of the ones that we seem to continue to teach over and over again is social engineering. We get a lot of phone calls from outside for people posing as someone they're not trying to gain access. Pretty much all your technical controls will be for naught if you have social engineering occur in your environment. We try and push heavily on the social engineering.