Security awareness training should be part of every organization’s cybersecurity program. Employees can’t prevent risk if they don’t know what risk is. Even the most seasoned cybersecurity professional had to learn that you don’t click the link in a random email!
While security awareness training is helpful to assist employees in recognizing threats, phishing and social engineering attacks are successful enough that it is clear that awareness training alone isn’t enough.
In a recent study conducted by Security Journey, researchers asked participants a simple question: Where does security awareness stop and security education start? To answer that question correctly, you first must understand the difference between the two approaches.
“Security ‘awareness’ in application development equals recognizing what a particular flaw may look like,” the report explained. “But security ‘education’ is understanding exactly how this flaw will affect the product, the business, and the customer and what can be done to remediate the flaw.”
“Security awareness in training is crucial for building security culture, as it provides a foundation and state of alert,” said Amy Baker, security education evangelist at Security Journey, in an email interview.
“However, while awareness involves recognizing a problem, to truly drive change in application security requires persistent education and knowing what to do about that problem. At its core, education instills a deeper knowledge of security practices, while awareness stops at a conceptual level,” Baker added.
Where Education is Most Needed
Security awareness training is most often thought of as an annual or biannual session presented to everyone across the organization—that’s at least a start for the people who are in non-technical jobs. Those in technical jobs like engineers and developers are often assumed to naturally understand risk. However, Baker pointed out that more than half of the biggest incidents over the last five years could be traced back to web application security issues, but organizations aren’t investing in training developers about secure coding.
“Unlike awareness, application security education is based on central principles or ‘big ideas’. If key security concepts are part of a continuous and programmatic education initiative, development teams can learn to apply knowledge, skills, and experience to novel situations and better secure applications,” said Baker.
When application security principles are understood, developers can then not only identify when code isn’t quite right or spot something that creates risk, but also effectively design against it.
“Awareness doesn’t go far enough for security-critical roles such as software developers, product and UX managers, quality assurance and scrum masters who are all responsible for delivering safe applications,” said Baker. “What’s needed is deeper education, and there are several ways that this can be incorporated into the awareness training mix.”
First and foremost, Baker stated, the concept of continuous and programmatic security education—and why it matters for security-critical roles—requires buy-in from everyone within the organization. As the threat landscape continues to evolve, security knowledge must also continue to evolve and remain current.
Leaders should set measurable goals and incentivize security success to help get education right. These goals don’t have to be complicated. They can be as simple as identifying the number of vulnerabilities in code before and after training initiatives to show progress and provide tangible evidence of the program’s value.
Finally, incentives and rewards can be offered to anyone implementing their security education into their job duties. Those who are best exemplifying their security education can then become ‘champions’ for security within an organization and organically influence change.
How to Promote Better Education
Security education comes from both inside and outside the organization, but it should be driven from the top and across both technical and non-technical departments. It shouldn’t be a one-size-fits-all solution but rather one geared toward employees’ roles within the company.
“Innovation and security do not have to be mutually exclusive and key decision-maker support means no roadblocks to hinder progress when it comes to secure app development,” said Baker. Leadership should ensure everyone on the development team is thinking about security whether or not they actually write code. They should understand how security impacts the end results of their job responsibilities.
“We also need greater collaboration across industry and academia to emphasize the importance of security education throughout a developer’s entire career,” said Baker. “Rather than blaming developers, it is the responsibility of organizations to provide access to educational resources, to support training initiatives and to drive home the importance of baking security in from the start. Universities also need to facilitate education in application security and make courses in this area a compulsory part of software development training.”
Going from just awareness to education offers a security-first approach that includes confident employees who know that they can fail safely and have the resources available to avoid these mistakes next time.