Americans love their football. From high school football to the NCAA and the NFL, we follow the sport like no other.
On the surface it might not appear that football and security awareness training have anything in common. However, upon further reflection, I’ve noticed that many of the strategies employed by your security team, and those of your favorite football team, revolve around a number of the same practices in order to achieve success.
Say what?
In football, the difference between success and failure is often dictated well in advance of the opening kickoff. Inevitably, it’s based in good part upon how a team approaches their training regimen. What if the coaching staff decided that over the summer months they weren’t going to hold practice? What if they decided they weren’t going to set up any training programs? You’d think that the coaches were out of their minds. How could a team be successful without training?
Do you see where I’m going here?
The same can be said of security training. According to Verizon’s 2015 Data Breach Investigations Report, which analyzes security incidents that happened last year, humans were again the weak link that led to many of the compromises suffered by organizations around the world. While also their greatest asset, organization’s employees are the weakest link.
Just like a football team, organizations need to provide full training programs to each and every one of their employees on all aspects of information security. Without training, the organizations will leave themselves vulnerable to any number of security breaches. How are you expected to win the Super Bowl, or in your business, be successful in preventing a security breach, if your team hasn’t had adequate training? Oftentimes it is simply better employee awareness that is the key to the prevention of security incidents.
So let’s talk specific training regimes. In football, players have to prepare for a number of situations: a punt return, a blitz, or the question that the defense faces on every play, will we be facing a passing play or a running play. It takes specific training to be prepared. The same goes for your organization’s security awareness training program. Employees face a number of “plays” every day and they must be prepared, from identifying phishing attacks, to creating passwords, using mobile devices, and detecting social engineering attacks.
It’s Super Bowl Sunday. Your ball fourth and goal. Two seconds left in the game. Your team is down by four. And, just like the head coach trying to get his team in the end zone for the winning score, will you have prepared your employees to know what to do so they can execute when it is crunch-time, or will they fall short? In security, as in football, preparation in the form of a security awareness program that is effective at helping employees be prepared is key. Interactive, highly engaging training that teaches critical security skills in an easy-to-understand, fun format will drive real behavior change. In the end, this training will separate the winners from the losers, and help you raise the Vince Lombardi Trophy in security victory.
Mr. Kunitani has nearly three decades of experience in the information security, computer industry, and physical sciences. His contributions have been as a researcher, software developer/engineer and manager.
Mr. Kunitani holds certification as a Certified Information Systems Security Professional (CISSP) and earned a Masters in Atmospheric Science from the University of Wisconsin-Madison, and a Bachelor’s in Statistics from University of California-Berkeley.
- Why security awareness training is like training for the Super Bowl - September 24, 2015
Nice article. You know you’re preaching to the choir here, right? The last nine years of my career was spent in IT security, and I found that “most” of my co-workers agree with you. However, the most difficult thing to do was to persuade our “customers”, those outside the Security Department, that security was important enough to engage all employees, at all levels, in its practice. There seems to be a persistent slice of the workforce who only seem to get concerned when they have made themselves the subject of Administrative Inquiry, and even then they wonder why all the fuss over what they’ve done. Security posters, security newsletters, and security briefings only go so far – getting real buy-in to the spirit of security is the toughest of things to accomplish – I don’t suppose 100% buy-in will ever be possible, but as a security professional, when you announce your next security briefing, it would surely feel better not seeing smirks on the faces of some you’d like to say you trust at a higher level. As the opening words of Superman used to say, the battle for Truth, Justice, and the American Way is never-ending.