Tips for Training
Expertise and Interactivity Key to Developing a Collaborative Security Education Program
See Also: Ransomware: The Look at Future Trends
The perspective on information security changed forever on September 11, 2001. From being a check box response on a training attendee sheet or just a mandatory requirement, security training awareness education has today transitioned into a "hands-on" intensive and integrated program, based on a well-founded training strategy that includes a formal course curriculum in addition to other learning interventions designed to deliver the appropriate security information and messages to all levels of employees.
Greg Golembe is Director of Training at Office of the Comptroller of the Currency (OCC) which regulates and supervises more than 1,900 national banks and 51 federal branches of foreign banks in the U.S. Golembe says the focus of the OCC training is a lot of exercises and networking. One key element of the training is that the instructors are highly qualified individuals and include examiners, senior deputy controllers and assistant deputy controllers, all who have an average of 22 years of experience in the field. Besides classroom-led courses, the OCC also provides security training through telephone seminars, exhibit booths at both national and state conventions to get the message out.
This approach stresses that an effective training and security program must be delivered by a qualified trainer, and designed to convey a multitude of security messages through various means to all employees. Formal instructor-led training, computer or Internet-based training, videos, conferences, forums and other technology-based and traditional delivery methods should all be part of an integrated training package at any bank or financial institution.
"Security exposures can be greatly reduced with a fairly articulated set of objectives, clear responsibility and understanding of the 'why' piece and the impact if it is not done, and this can be achieved through security training, awareness and education," says Tom Festing a senior manager handling risk management and information training programs at Crow Chizek & Company LLC. He further touches upon the essential components of an integrated security training program, sharing the following tips:
Any security training package at a bank needs to be collaborative and include a clear understanding of the regulatory and business environment that the institution is in. "What do I have, and what am I trying to protect?" are the key questions to address.
A sound training package should address basics like-
- Who is the training audience?
- What is the scope and objectives of the security program?
- Identify the security learning needs of employees at the bank?
- What are the bank's training expectations?
- What processes, tools and requirements will be adopted to accomplish an effective integrated security training approach?
- What will the training delivery method entail?
- What is the consequence of not doing and adhering to a security training program? What is the cost to the bank in $$$? The risks of not initiating and following a sound training program needs to be understood thoroughly.
- Understand that security training is individual responsibility and every employee needs to own the process.
- Security training is a way of life and needs to be measured continuously and should be part of an annual evaluation process adopted by a financial institution.
- As a good practice, financial institutions should always formalize their security training program after getting it reviewed by their bank examiner and include viewpoints of what an examiner would like to see in the bank's training program.