Security training no longer on the back burner

Growth in data breaches prompts agencies to invest more in training for security professionals and employees.

The rise in data security breaches at federal agencies and the emergence of new cyberthreats have spurred a major shift in the way many officials train their security and information technology professionals and provide awareness education for workers.

In the past, many agencies did not emphasize making workers more security savvy and keeping security administrators abreast of the latest techniques and technologies to thwart cyberattacks, experts say.

But agencies are revamping or developing new training programs after the 2001 terrorist attacks and the recent incidents of compromised personal data on stolen agency laptop PCs.

“We’ve seen a major cultural shift in the training environment,” said John Mongeon, who leads the government services division at the nonprofit International Information Systems Security Certification Consortium, or (ISC)2.

“Before Sept. 11, security training was on the back burner for most agencies, but now they are trying to get in front” of the security problems, Mongeon said.

That shift has produced a surge in the demand for formal accreditation programs for security professionals, such as the ones run by (ISC)2 and other commercial organizations. Few government chief information security officers (CISOs) don’t have Certified Information Security Systems Professional (CISSP) or similar accreditations on their résumés.

Agencies are also increasingly requiring information technology workers to take training courses in security issues related to their areas of expertise. Although those courses aren’t as intensive as the security professionals’ training, IT employees often need security courses to advance in their careers.

And general security awareness programs, which agencies used to cover in annual half-hour or hour-long auditorium presentations, are becoming year-round, focused affairs.

“Training in awareness has become more specific and granularized and more focused on roles,” said Lynn McNulty, (ISC)2’s director of government affairs. “It’s no longer just a half-hour PowerPoint presentation.”

No government training program is more ambitious than the Defense Department’s. It issued Directive 8570.1 on information assurance workforce training in August 2004. In December 2005, the department approved the directive’s proposal to train and certify at least 80,000 DOD employees in the next four years.

The training will involve all military services and DOD agencies and will include contractors. The goal is to create a cadre of information assurance professionals in technical and management positions who will be closely aligned with the military’s network-centric warfare strategy.

Department officials expect the program to boost DOD’s security expertise. They will raise the bar by offering specific training that meets the needs of each service and DOD agency, said George Bieber, deputy director for information assurance human resources and training in DOD’s Defense-wide Information Assurance Program.

The commercial certification programs provided by (ISC)2 and four other private industry organizations will cover a lot of the training content, Bieber said. But they won’t cover everything. Agencies still need to train and certify employees on their operating systems and security tools and devices.

“There’ll be a lot of schoolhouse training also that will take and train people with no expertise in IT,” he said. “Over time, we’ll be building a complete IT security force.”

EPA offers year-round training
Civilian agencies’ training programs are less extensive but, nevertheless, are becoming more complete. For example, the Environmental Protection Agency, which was one of five agencies to receive an A-plus on its 2005 Federal Information Security Management Act (FISMA) score card, offers year-round training for its security professionals.

The EPA’s training program includes classroom sessions, provided mainly through National Defense University’s Information Resources Management College, and online training via the Office of Personnel Management’s GoLearn.gov IT Security Library.

The EPA also sponsors conferences, such as the annual IT Security and Operations Conference, that provide training on new or updated security requirements and standards.

EPA officials want to create a robust and continuous learning environment that includes training throughout the year, said Odelia Funke, director of the Mission Investment Solutions Division in the EPA’s Office of Environmental Information. National Defense University offers classroom training throughout the year, and at least one component of the online training is available 24 hours a day.

The idea is to provide maximum flexibility for users, Funke said.

“At the EPA, we have found that training is rather consistent throughout the year,” she said. “There are no trends identified indicating peak and off-peak training times.”

Agencies should provide a mix of resources because people learn in different ways, said Nancy DeFrancesco, the Commerce Department’s CISO. A one-size-fits-all approach is not wise, she said.

During the past year, Commerce offered courses only through OPM’s online learning center. However, many people asked for classroom courses, which Commerce began to provide this year.

“Some people just need the interaction and the ability to ask questions that a classroom setting provides,” DeFrancesco said. “Now I think we have a good mix. There are folks all across the nation and around the world who can use a variety of classes, and there are public venue classes that our [security] vendors provide.”

Commerce uses a mix of training content. Like many agencies, Commerce combines its content with commercial training courses.

For example, to teach the department’s contracting officers about the necessary security measures throughout the procurement life cycle, Commerce combines commercial courses with its materials specific to department procurements. All Commerce contracting officers must pass that training program, DeFrancesco said.

Security awareness is a different animal
Security awareness is different from the training provided to security and IT professionals. Agency officials can assume that professionals have the motivation to pursue training courses and learn from them. But they can’t assume that of all agency employees.

When considering security awareness programs, agencies must account for a broader range of people. Agencies may require participation of anyone from high-level executives and agency managers to entry-level computer users. But executives and new employees have a big difference in their availability and the time they can devote to security awareness, experts say.

The goal of any awareness program is to make people understand the value of the information they handle and the need to protect it, said Jim Molini, deputy program director for enterprise services at Mitre, which works closely with government in several technology fields.

Once agency officials get that point across, they can extend the awareness program to various techniques that are important to the agency, such as password protection, Common Access Card use and digital signatures, Molini said.

“It’s really a marketing job on the part of the agency,” he said. “It has to give its employees a better understanding of what the agency is doing with the information and to let them know they are a part of the agency’s broader operation to secure that information.”

W. Hord Tipton, chief information officer at the Interior Department, said he thinks security awareness could be the most important piece of the puzzle in terms of satisfying FISMA requirements and Congress’ expectations.

At Interior, security awareness training has become a little tougher each year, Tipton said. Computer users must now pass mandatory online exams. If they don’t complete that test by a certain date each year, the department cuts off their access to computers and the Internet. Interior boasts a 98 percent pass rate for this exam among its staff and contractors.

However, Tipton said, even though the exam may be mandatory, the department must still be careful with the training. Agencies shouldn’t force training on people or else many will skip it. For that reason, a year-round approach works best, including events such as a security week, regular alerts that warn users of specific cyberthreats and weekly e-mail reminders.

Agency officials must make security awareness personal, Tipton said.

“I like to use anecdotal stories,” he said. “I’d use the example of the [stolen] VA laptops and the fact that the VA had to send out letters to all the veterans who were affected and that if it happened at Interior, the costs for that would come out of peoples’ program budgets.”

“We try to draw parallels that are specific to Interior,” he said. “We try to show the pain involved with these kinds of things.”

The U.S. Agency for International Development, another A-plus recipient on the FISMA score card, also requires people to pass a test to be able to use their computers. In its case, the tests are a daily affair.

“To get on to the network each day, people have to be exposed to a privacy tip and a question they have to answer, and we grade everyone’s answers,” said Phil Heneghan, USAID’s CISO and acting CIO. “Everyone has to do this, from administrators to political appointees.”

Everyone gets a different question each day, randomly selected from a bucket of about 500 tips that change regularly. If people don’t get at least 80 percent of the correct answers, their supervisors receive a notice from Heneghan’s office.

The average pass rate since USAID established this practice three years ago is now better than 95 percent.

Heneghan said he thinks that because people at the highest levels in the agency also have to go through this process, it may be his best weapon in spreading a culture of awareness.

“It’s so helpful to me when people complain about having to go through this that I can point to the fact that their bosses have to do it,” he said. “I’ve spoken to other agencies, and they are not sure they want to put their managers through all of this.”

Heneghan said he has the support of his senior managers, adding that they are much better informed than many other agency managers are about security issues. And that makes it much easier for him to talk to them about security risks.

“Awareness has made a difference for every other [security] issue we deal with,” he said. “It’s probably been the biggest issue in affecting all of this.”

McNulty said he feels that senior agency managers understand that they need to apply more effort to security awareness. Molini said senior leaders must be involved.

“If you argue that awareness programs are a form of marketing, then high-level executives become celebrity endorsers,” he said. “And those kinds of things are important. Many people like to see their executives out there, and [awareness] is one area where they could usefully be visible.”

Security training trends point to greater collaboration

Each federal agency now makes separate deals for its security training, either through government resources or commercial companies. But that arrangement will likely change in the future under the Information Technology Security Line of Business initiative that the Office of Management and Budget and the Homeland Security Department are promoting.

Under that initiative, agencies will commit to more standardized training processes provided through shared-services centers. OMB has set a deadline of Dec. 15 for agencies to decide how they will standardize their training under this arrangement. Agencies must begin migrating to shared services by April 2007.

The Environmental Protection Agency, DHS, the Justice Department, the U.S. Agency for International Development, the Office of Personnel Management and the Treasury Department’s Bureau of the Public Debt have submitted business cases to become shared-services centers.

OMB’s idea is that agencies will be able to redirect some of the $1.4 billion they expect to spend on IT security training and reporting to more mission-critical purposes by standardizing their training programs.

The shared-services concept won’t necessarily change the training content that agencies provide because each agency would still make those decisions.

But Nancy DeFrancesco, the Commerce Department’s chief information security officer, said she believes shared services will be the driver of governmentwide IT training beginning in fiscal 2007.

Others are taking a wait-and-see approach.

“We’re waiting with bated breath to see how it all comes out,” said Phil Heneghan, USAID’s CISO and acting chief information officer. “We expect to participate as a center of excellence, but we’re not sure just how it will affect us yet.”

Even though OMB and DHS are mandating certain standards under the initiative, its success will depend on factors such as which agencies OMB and DHS choose as shared-services centers, said George Bieber, deputy director for information assurance human resources and training at the Defense Department.

Security awareness needs and policies also often have a local focus — what to report, and whom to report it to — and those won’t be covered under the initiative, he said.

Sources for security trainingAgencies can tap numerous resources to get information on security training and sign up for specific training and awareness courses.

The National Institute of Standards and Technology has a comprehensive site that provides information on awareness, education and training (csrc.nist.gov/ATE).

The Office of Personnel Management provides advice and specific training through its online GoLearn.gov program (www.golearn.gov/MaestroC).

The National Defense University’s Information Resources Management College (www.ndu.edu/IRMC) provides a range of classroom training, and the Defense Information Systems Agency (iase.disa.mil/index2.html) works with the Defense Department and the wider federal community to enhance overall government information assurance training and awareness.

On the commercial side, training and professional accreditation are provided through organizations such as the International Information Systems Security Certification Consortium (https://www.isc2.org/cgi-bin/index.cgi), the SANS Institute (https://www.sans.org), SecurityCertified.Net (www.securitycertified.net), the Computing Technology Industry Association (www.comptia.org) and the Information Systems Audit and Control Association (www.isaca.org).