Security Awareness Training: How to Match Security and Development

The human factor is one of the most common reasons for the success of cyberattacks. Raising security awareness and educating company’s employees in cybersecurity best practices is essential for minimizing the risk of security incidents and data breaches. More and more companies are eager to organize cyber security training for their organizations and are looking for the most efficient ways to do so.

At the root of things, cyber security training for employees boils down to two major areas:

• Training all employees on cybersecurity basics.
• Additional training of IT teams on application & network security and secure SDLC.

Both of these should be carried out first as a part of the onboarding process and then on an ongoing basis (we recommend doing the ongoing training at least once a year).

General Training: the Basis for Security Awareness

Basic security awareness training should be conducted for all employees inside the company as well as consultants and contractors who have access to your IT ecosystem. This training usually covers the following aspects:

• Company’s security policies and procedures
• Personal data protection
• Phishing awareness training
• Essential cybersecurity for remote workers
• Personal online security, etc.

In order to organize such training, you need to define the areas it will focus on. It is a best practice to check what your employees already know and concentrate on the areas where your team lacks knowledge most so that the basic cybersecurity training starts to bring value as early as possible. The easiest way to do this is to conduct a brief survey and collect statistics on the awareness level. This will help you figure out where the gaps are and define focus areas for training.

Then you will need to define the training program and choose the format in which the training will be delivered. It is better to have various types of content delivered on a regular basis (recorded videos and podcasts, posters in the office break room, live presentations, etc.) and broadcast through different channels (online, offline, etc.).

You need to understand that the main goal of such training is to form the right mindset and skills, and not just to provide information. This means the results might not be immediate and will require time, effort, and regular repetition.

Last but not least, it is essential to determine how you will monitor progress and accomplishments. Given that it takes time to develop the required skills and change existing mindsets and habits, it is vital to monitor progress to make sure the training goes in the right direction and at the right pace. Therefore, you need to define what constitutes success for you, what indicators you will track and how you will do so even before the training starts.

Cybersecurity Awareness Training for Software Development Teams

As for your software development departments, it makes sense to supplement the general training with additional application security education focused on raising awareness of threats, risks, and application security best practices.  Such training should also include the fundamentals of the Secure SDLC.

Same as with general training, it all comes down to analyzing the current level of awareness and skills, planning the training, choosing the tools you will use, and defining how the progress will be monitored. If you have not yet conducted such cybersecurity awareness training or are at the early stages of implementing such an initiative, below are a few tips that will be useful.

Starting with Application Security Fundamentals

Application security fundamentals training that covers high-level information about Secure SDLC and vulnerabilities from OWASP Top 10 will lay the good groundwork on secure development principles. Fundamental training should also introduce teams to the basic principles of secure design (including Least Privilege, Defense-in-Depth, Fail Secure, Complete Mediation, Session Management, Open Design, and Psychological Acceptability).

Need help establishing a security-first culture across your development teams?

Get our experts to evaluate the security practices within your application development lifecycle.

It is important to conduct such training for all software development team members (software testers, project managers, business analysts, developers, DevOps, etc.). You also need to make sure the training stays comprehensible and clear for all participants (including less technical team members) and avoid going too deep into technical details.

Adding Role-based Application Security Training

After you have figured out the basics, it is time to deepen your software development team’s knowledge with a solid technical understanding of the OWASP Top 10 vulnerabilities and the most common remediation strategies for each issue.

At this stage, team members should undergo different types of application security training depending on the team member’s role. Developers are trained on the coding standards and on the technologies they interact with. Testers are trained on how to identify security defects and what tools can be used to do so. Product managers receive training on topics related to Secure SDLC security practices (e.g., OWASP SAMM (Software Assurance Maturity Model).

It is crucial to add practical tasks where possible to make the training more illustrative (e.g. developer’s training should include code examples for each type of vulnerability). Platforms such as Web Security Academy by PortSwigger and SecureFlag Open Platform by OWASP can help you with training materials and necessary examples. These platforms are free, have practical labs for hands-on experience, and allow you to track your team’s training progress.

Purchasing External vs. Developing Internal Training

All forms of security awareness training programs can be conducted internally or externally. Internal training sessions are delivered by someone who already works for your organization. Senior specialists can coach junior members thus helping you build team dynamics. However, internal training sessions have their limits.

Usually, the experts capable of delivering such training are busy with their regular activities and find it difficult to allocate time for items such as; the preparation of training materials, lectures, practical tasks, and additional mentoring activities. Moreover, in-house specialists’ expertise level may be insufficient for creating a fully-fledged cybersecurity awareness course.

External training delivered by specialists from outside of your organization or through a third-party special training platform can be a good alternative in such cases. External training gives you the opportunity to learn from industry influencers & highly qualified experts. They can also reveal new approaches that you might not have considered before.

However, the average cost of security awareness training provided externally may be higher than the cost of an internal one. No type of training is a silver bullet. What matters is the internal experts availability & expertise and your business goals. Quite often it makes sense to develop the basic training internally and purchase the external training for more advanced levels.

Need help with external security training for software development teams?

Check out our Cybersecurity Consulting Services

The choice of external training options is wide nowadays. You can hire an external security awareness training provider who will analyze your business, check the team’s knowledge, and create a custom training course tailored to your organization. Alternatively, you can go for out-of-the-box training or rely on an existing training platform in order to educate your development team.

There is a wide range of training available spanning popular platforms like Udemy, Coursera, YouTube, to specialized learning platforms offered by various small and large cyber security training providers. All these training courses will be of different quality and diverse price ranges, so you should conduct a thorough analysis to decide which one fits your business needs best.

Selecting the Best-fit External Platform for Security Awareness Training

If you decide to use an external platform for cybersecurity awareness training, it makes sense to pay attention to such aspects as the quality of content, reporting capabilities, ease of administration, and of course the price.

Regarding the quality of the content, it is important to consider the following: the relevance and frequency of information updates (new threats and vulnerabilities appear frequently), availability of various labs for different programming languages, frameworks, and technologies. Gamification elements (e.g. achievements, leaderboards, interactive quizzes, etc.) can help a lot in driving user’s engagement.

The availability of practical assignments is essential as they will give your team hands-on experience and fortify the knowledge they gain through the theoretical section. These assignments can be “scenario-based labs” (where the student will follow the entire process according to a previously prepared scenario) and “freedom of action labs” (where the student will need to assemble a puzzle to complete the assignment).

The reporting and administration capabilities of the platform are also important. It makes sense to pay attention to the compatibility and integration possibilities with third-party LMS (Learning Management System) options for granularity and customization, user and group management capabilities, and integration with different Identity Providers.

At Sigma Software we often rely on such security training platforms as Immersive Labs, Kontra Application Security Training, Codebashing by Checkmarx. They cover various vulnerabilities, programming languages, frameworks, and have a large number of practical labs.

Introducing indicators, metrics, and reports

In order to be effective at anything, you need to use metrics. Security is no exception. You need to know where you are, and how well and how fast you should proceed. Surveys and security awareness assessments are essential for both you and your team. They help your organization understand how well content and learning resonates with people and for your team members to be able to benchmark how well they have progressed.

Making your security awareness training an ongoing process

Most companies organize training at least once a year to educate employees on how they can help protect an organization’s sensitive information. It is a best practice, but the current technology climate indicates that this may not be enough. You need a strategic approach that allows you to always maintain a culture of information security and it is crucial to make security awareness a continuous process. The format of small and engaging assignments on the portal or in the form of short videos delivered frequently (e.g. once a month) helps to maintain security awareness along the way.

Another great way to make your security training a continuous process is to leverage social engineering practice tests. In these tests, employees will have to decide what to do in certain situations: notify the responsible party, ignore the malicious link or follow it, and these actions will determine whether the organization is at risk regarding cyber security incidents. However, offering such tests to employees on a regular basis can put too much pressure on the team, so we recommend going easy on those and focusing more on educating rather than pushing such tests too often.

One Time Training Isn’t Enough

Cybersecurity awareness training is essential for business sustainability. It is crucial to understand that such training should be an integral part of the company’s processes, conducted on a regular basis and not just as a one-time procedure.

Our main suggestion is to implement these training courses step by step and continuously work towards raising the awareness of all employees in the organization. If you need additional advice or help with external security training for software development teams, feel free to contact us and check out our Cybersecurity services.

Related articles: How to Ensure App Security with Secure SDLC Implementation

• #Information Security