Today, I will be going over Control 17 from version 7 of the CIS top 20 Critical Security Controls – Implement a Security Awareness and Training Program. I will go through the nine requirements and offer my thoughts on what I’ve found.
Key Takeaways in Control 17
- Less focus on metrics. The previous security awareness control had multiple sections on metrics and improving the overall compliance score. This round of controls is focused more on just establishing a method to deliver continuous training while only highlighting a handful of the most common attack vectors.
- Outsourcing continues to be ideal. Security teams are already under-staffed, underfunded, and overworked. Establishing an awareness training program from scratch will be a time-consuming process that may be better suited for a third-party to develop and deliver.
Requirement Listing in Control 17
1. Perform a Skills Gap Analysis
Description: Perform a skills gap analysis to understand the skills and behaviors to which workforce members are not adhering, using this information to build a baseline education roadmap.
Notes: Performing a true skills gap analysis across the organization is going to be a time-consuming process. If you are just starting out on your journey of security awareness training for the organization, it may be best to look for a third party for help.
2. Deliver Training to Fill the Skills Gap
Description: Deliver training to address the skills gap identified to positively impact workforce members’ security behavior.
Notes: Delivering the training is just closing the loop from the first section. Delivering the training can be either in-person presentations or automated videos delivered through the web. The size and complexity of your organization will most likely determine which route you will want to go.
3. Implement a Security Awareness Program
Description: Create a security (Read more...)
This is a Security Bloggers Network syndicated blog post authored by Travis Smith. Read the original post at: The State of Security