Training and Testing
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
2 hours 33 minutes
Hello, everyone. And welcome back to CyberRays and user Physical Security. Course
I'm your instructor. Corey holds er, and this is less in 4.3 training and testing.
I have three learning objectives for this lesson, and they are as follows. First, we're gonna discuss the importance of training.
Then we're going to talk about how a company contest a plan.
And finally, we're gonna discuss a little bit how toe update plans based on experience.
Now, one of the main reasons we train is the concept of knowing versus understanding.
Knowing is not understanding. There is a great difference between knowing and understanding.
You can know a lot about something and not really understand it.
The goal of training, therefore, is actually to understand something.
I can look at a series of 10 steps and I can repeat those 10 steps. But if I don't understand why each of those steps is important and why they need to be done in the order they're in,
I'm not going to really appreciate
what it is I'm doing. And it's actually ah, higher probability that I'm gonna make a mistake. So it's important is end users to understand why certain processes were in place and understand what they really do and what they mean.
And we get that knowledge and that understanding
We have policies and plans for particular events, but that's not enough. They can sit on the shelf and gather dust. But then
when the time comes, if I need to do that action or even knowing that, that is the response I need to do in the event of, let's say, a disaster like we talked about in the last lesson,
if I don't know that there is a plan in place of how to respond. In the case of a fired A fire within the server room,
I'm not even open that book. I probably just gonna run out of the building because there's a fire. That's but I have now failed to do something that's expected of me. So training
starts with, We start with reading. We understand. We read what the plan is that we become familiar with it. With training, we develop that understanding like I was I was talking about in the last slide
and even more important than that, with understanding comes adaptability,
adaptability, just me basically is is just that you can you can let's they have a plan in place to respond to fires.
in an event it may not. Maybe it's it's an electrical fire versus a, um,
a man made started one. Let's say it in a garbage can somewhere,
you have to fight different fires different ways because the chemicals that need to be used to actually put them out or even the fire suppression systems in a server room are different from, ah, common work area. So that kind of
I'm just truly understanding the plant means that you can adapt when factors aren't exactly as they were
in the training.
As General George Patton once said, You fight like you train, so if you take your training seriously
when it comes time to actually apply the training, you will take it. Justice seriously, because it's important to you, is important enough to train in it. It's important enough
to actually do it when the time actually calls for.
So how best to practice
or test training?
one of the common methods that I've seen employed a lot and actually works very well is what is known as the crawl walk run
approach to training
I know I have my and my little icons there, which is taking it very simply, Let's be do the very basic. We're not expecting everything to be perfect. Maybe we're even reading from the manual as we do this
and we just walked through, discussed through what we would do in the event, Let's say, off a fire in the building. Let's let's use that is the example
the crawl phase might be to have
everyone within a department there. And
if it's Joe's responsibility, Teoh grab the thing to do to fire marshal responsibilities. He's going to be the one who says I get up. I remind everyone Teoh, grab their I DS.
Leave their personal belongings and exit the exit the department area I make. I then make sure that all of the work spaces air cleared. I leave the door and I pulled the court door closed behind me.
Maybe Jim, another employees in the department says I grabbed ASAT the department sign, and it's just because this is
in a few places I've worked that will actually have a sign so that where you have a rally point
a place where you will meet up afterwards where they could get accountability. Maybe that's Jim's responsibility, says I. Hold up this. I carry the sign out with me and I hold it up as I walked to the rally points of people know where they have to be.
And then Lucy says, I take accountability of everybody. It's not actually doing these things, but it's talking through what would be done and what the proper procedure is.
we go to the walk face. This is where
maybe the department has a fire, fire, fire, someone yells. And then they go through the process of exiting the the room, closing the door, doing well their responsibilities and then rallying up and getting accountability. Ever everyone.
And then the less would be the run face the run phase of training that's actually like, Okay,
Security manager is gonna pull the fire alarm and we're gonna act like there's really fire and we're gonna exit the building.
And I've seen some, some again to create that adaptability.
Sometimes a company will say these fire this this stairwell is blocked and they so that people have to now figure out how to reroute themselves through another stairwell to get out of the building and get proper accountability. And this isn't t confuse anybody. It's not to trip anybody up, but again, it's to develop that understanding and that appreciation
for what the plan is,
please, I hope it never happens. But if it does happen, people will be able to adapt to the situations of, Ah, Fire and one stairwell. So instead of going down stairwell A, they'll go down stairwell B and they could get out of the building safe and sound without any loss of life.
Now, another thing that we do when it comes to training, it's It's only so good that we do the training.
We actually have to
test people on it. Now. I'm not talking about a written test like like a little, uh, like the illustration I haven't and on the right hand side, but ultimately,
what the policy is, how to actually execute it. We actually grade the people on it, and this could be key personnel watching over one shoulder as they walk through what they would do in the event.
Maybe not a fire, but let's say, um,
there's a power loss in the building, and we have their steps to be taken to restore power and get the server room up and running as an example.
Well, the I T department would have set procedures and everyone has their role and they would have gone through the wall, curl up, crawl, walk run phases of it. Now they're gonna actually apply it, and you have someone there who's evaluating them. Well, Jim Jim forgot to call down Teoh Coal Con
to call the
Cities Electrical Company to make sure the backup circuits were turned on. Or Sally forgot to forgot that she needed to turn on the generator
that's located in the building that provides power to the server room. Whatever it is, you could do any example. But it's not, too.
It's not, too to penalize anybody, but it's to have people understand how well they're performing the tasks. It also tells your leadership
how well you've done things, so when they can have count confidence that that the right things will be done when needed. But also
maybe it's that they have to re emphasize training. If if let's, let's say,
uh, the expectation of the goal is to get everyone out of a building in a fire in under five minutes. But it takes everybody constantly 10 or 12 minutes when they're being tested. Well, then we need to run more fire drills. We need to make sure every department knows what their planets. We need to make sure we clearly designate,
um, if people are going to the wrong rally points around the building,
we may. We need to walk. Maybe we need to have, ah, one hour class the teacher, the departments to reiterate and reinforce Why that training is important.
One thing to the businesses conduce Oh, and this is this is, um
I've actually gotten the chance to help out at the state level with this, um
is actually using third party individuals,
people who have pretty much no steak or ownership and what goes on but who can honestly and objectively evaluate and assess as well as have the expertise to test the individuals involved in this. And,
uh, when it
at one time, I was I When I was a student, I was helping out
the state of Indiana. When I was at Purdue, they were doing a an exercise with a lot of the individual
utility companies around the state who will be providing power in the case of some kind of disaster. Oh, have to restore power, I should say. And, um,
I was there taking notes as they were talking through and doing their tabletop exercise, explaining the kinds of challenges they see and how they best respond. And I was just observing them and I was recording, and I would make annotation saying this. This plan doesn't work. Every company might want to institute the plans that
ABC Electrical suggested that they do with their with their customers because it will mean
faster restoration of power,
etcetera. And that's that's the advantage that 1/3 party can bring to this because they really have no stake in the game other than evaluating
what the training that's going on. And the other thing, too, is they can bring a very different perspective to it.
Sometimes through analogy, through experience, they might cease. See something that none of the people who do these things regularly will see because they've got that they've got tunnel vision or they're so focused on. This is the way we've always done it. This is the way we're going to do it.
And that third party and my pain would be could make a suggestion, saying, instead of doing it,
ABC is your steps do steps 123 1st and that will ensure
that that would improve efficiency of of the training or how you restore the power when the
when you lose it, for example,
and a very important part of training is, it gives us the opportunity to look at the plan,
and see where where things have changed about Flynn. Maybe it's maybe there were flaws in the process. May be, You know, when we talked through it, it sounded like a good idea. Sounded like would work really well. But we forgot
circumstances. Certain contingencies weren't accounted for,
uh, new unknown variables. Maybe there's changing technology.
It used to be here as an example. There always used to be the
certain kinds of fire suppression systems used in buildings. Well, when companies start to realize that water suppression systems weren't effective enough, they included chemicals in them. Then there was a consideration off. Well, if we use chemicals and water That's bad for computers.
What different fire suppression systems can we use
so that we don't
guarantee the loss of all of our equipment?
And those things changed over time because,
you know, one point they didn't have the computers. Now, you know, Then they had to start account for these new new assets within the company.
And then it's also the chance to identify where you have missing or failing equipment to do that should be there to produce a certain result.
So let's do a check on learning
we trained. Uh,
I will read the question. The answer is I will give you some time to think about it. Then I will explain whether right answers right in the wrong answers were wrong.
We trained how to respond an adverse event for all of following, except
to gain an understanding of what is expected of us
as a way to impress the boss
to improve our response time
or to ensure minimal disruption resulting from the event
the right answer is
So obviously this is not about impressing the boss. It is about showing the boss that
people are properly training ready to respond in the case in address event. But it's certainly not to impress him. It's about understood. It is about understanding what is expected of us and understanding what the process is. It's about improving our response time so that quicker, quicker reactions save lives
reduce the amount of harm than event may cause.
And it also ensures that a minimal disruption will take place before we're back up performing it, even if it's at a reduced state still performing the business to some level until we can fully get back to 100% operability.
So in this lesson we covered three areas. First, we talked about the importance of training.
I showed you how company contest its plan
and also how to update the plan based on experience.
This concludes this last night. Thank you for joining me, and I look forward to seeing you in the next lesson.