They Didn't Do What You Trained Them To Do? What Went Wrong?
Speaker: D. Cragin Shelton, DSc, CISSP Lead INFOSEC Engineer / Scientist The MITRE Corporation
You taught them what to do, how to do it, and why to do it. You even threw in some jokes and an XKCD cartoon to entertain and keep them awake. They completed the class exercises easily and passed the final quiz with no trouble. Then they went back to their jobs, and forgot everything. Or did they?
People don't follow infosec rules - we already know that, all too well. Do we really not train them well enough, or often enough? Or don’t we reward or punish them enough? I asked them, "Why?" No one else actually had asked. The answers tell us that the quality of training may not be the problem. One lesson - consider the workers' situations; teach them the policies in ways they can and will follow while getting their jobs done.
This talk is for infosec techies who want to be infosec leaders, making a real impact on security in the workplace. It's also for the leader who wants to be more than a pointy-haired boss, to help her people and manage operations for success and security. Infosec awareness and training is not the infosec program, it is only part of that program. Further, it should not stand alone; it must be integrated into the complete infosec program.