Knowledge Transfer

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> The last thing I want to emphasize in module
00:00
one is the importance of knowledge transfer.
00:00
Now, with knowledge transfer,
00:00
we can simplify that and say
00:00
the importance of training our employees and
00:00
training individuals in the way
00:00
of the security Jedi and making sure,
00:00
again, that our employees are capable of making
00:00
good business decisions based on risk awareness.
00:00
Training doesn't fix everything.
00:00
But training is certainly
00:00
a good defense against attacks like social engineering,
00:00
making sure that users understand what
00:00
the security threats are and
00:00
how those might materialize,
00:00
understanding best practices,
00:00
understanding reporting of incidents.
00:00
There's a lot of information that our users
00:00
have to have to make good decisions,
00:00
and those of us who are Information Security trainers
00:00
have the responsibility to pass that information along.
00:00
Ideally, when we talk about knowledge transfer,
00:00
we think about three main areas.
00:00
We think about awareness, raising security awareness,
00:00
not as an end result but
00:00
as a step towards modification of employee behavior.
00:00
I want to make my users aware of threats,
00:00
aware of vulnerabilities, and
00:00
aware of solutions in the realm of securities as well.
00:00
Now we also have training and usually training
00:00
is to enhance a specific skill.
00:00
I'm going to train you on the new software.
00:00
Then we have education which is much broader and includes
00:00
awareness and training and
00:00
any way that knowledge is increased.
00:00
All right, awareness training,
00:00
education that all going to be
00:00
ways that we transfer knowledge.
00:00
Like we said, knowledge transfer really is
00:00
an important step in our security toolbox.
00:00
Employees cannot and will not
00:00
follow the directives if they don't know about them.
00:00
Absolutely. Also, I would add to
00:00
that that employees need an understanding of why,
00:00
why are the rules?
00:00
What the rules are.
00:00
By that, I mean, I'll give you an example.
00:00
One of the first classes I ever taught,
00:00
this was back in the mid-1990s
00:00
and I taught it Wake Medical.
00:00
I used to live in North Carolina.
00:00
I lived in Raleigh for awhile and I taught a group of
00:00
nurses how to migrate from Windows 31 to Windows 95.
00:00
Yes. It's been a minute since that happened.
00:00
But what I remember,
00:00
I'm always going to remember this
00:00
because it really cracked me up.
00:00
But I remember we spent the better part of the morning
00:00
discussing the miracle of the right-click.
00:00
You can left-click, check this out.
00:00
Now, you can right-click.
00:00
This was not a high end tech team.
00:00
Back in the 90s, a lot of people work.
00:00
I remember, it was a very basic, slow progress,
00:00
but we're getting there, and
00:00
then we took a break for lunch.
00:00
I was sitting down at a computer at
00:00
my at my system and I was going to eBay.
00:00
I can't remember if I was buying something or selling it,
00:00
but I was going to eBay and
00:00
the hospitals proxy server block me from going to eBay.
00:00
I typed out the address and I get a message
00:00
the site is doesn't meet the standards of the hospital.
00:00
I was alright. I didn't care. I was just goofing off.
00:00
But one of the nurses in my
00:00
class walk past me and she said,
00:00
"Oh, do this.
00:00
Go to www.proxy7.com and
00:00
then type out the name
00:00
of the site you want to go through.
00:00
The woman did not know how to right-click,
00:00
but she knew how to send me to
00:00
an anonymizing proxy server out on
00:00
the Internet so I could
00:00
bypass the internal proxy server of the hospital.
00:00
That just shows you the importance of
00:00
telling our users why we do what we do.
00:00
She didn't think she was by it violating security policy.
00:00
She just knew she tried to go one direction,
00:00
it didn't work so somebody told
00:00
her do a different direction to go and she did it.
00:00
If the front door is locked,
00:00
you try the slide door.
00:00
When we tell our users why,
00:00
what threats we're trying to mitigate,
00:00
how those threats materialize,
00:00
what our defenses are and why we implement them,
00:00
that helps employees understand
00:00
that just because it's not on a checklist,
00:00
there are still certain activities that we don't
00:00
undertake because they could introduce risk.
00:00
A quality training program
00:00
educates users rather than just giving them a list
00:00
of do's and don't s.
00:00
The importance of training cannot be understated.
00:00
We can raise security awareness.
00:00
Maybe we have posters
00:00
throughout the organization that say,
00:00
never give someone your password.
00:00
That's raising awareness.
00:00
Then we can train based on specific skills and
00:00
lead to the overarching purpose of educating
00:00
our users with the end result of
00:00
modifying their behavior and encouraging them to
00:00
work collectively in a risk aware environment where
00:00
they're capable of making
00:00
good security related decisions for themselves.
Up Next