CHAPTER 10. SECURITY AWARENESS, TRAINING, AND EDUCATION
The success of the Commission's recommendations to improve security will depend in part
on how well we can incorporate the concepts of risk management, standardization,
reciprocity, accountability and a service mentality into the way we do business and into
the fabric of the workforce. The security education community has a critical role to play
in this process. The Commission is proposing a fundamental change in how we view and
manage security. The concepts espoused demand greater responsibility from each individual.
Management must be educated as to its responsibilities in the new environment and provided
the tools to apply risk management effectively. Multidisciplinary security professionals
will need to know the "why" as well as the "how" of security in order
to move away from a compliance or checklist mentality toward a customer service
philosophy. Employees will need to understand their critical role and feel that they have
a personal stake in identifying and implementing the goals and objectives of their
organization in protecting its assets.
The Present
The Defense and Intelligence Communities each have extensive training infrastructures
in place focused primarily on their own needs. Interaction with respect to curricula and
access to courses and material is, at best, informal among the various training
facilities. Training criteria and requirements also vary between agencies and departments
resulting in uneven performance levels of security officers. While the Commission
recognizes the need for agency and department specific training and criteria, these
independent efforts produce an inconsistent quality of training, result in a duplication
of effort, and reinforce the parochial interpretation and implementation of national
policy. The Commission has also found that despite the importance of security awareness,
training, and education programs, these programs tend to be frequent and ready targets for
budget cuts.
Training for the Future
The security system of the future will place greater demands on the entire workforce,
but especially on the security professionals. The focus on creative, cost-effective
solutions to security problems will require a thorough understanding of both the spirit
and the letter of security policies, practices, and procedures. The security professionals
will be asked to implement the changes that we are proposing and to provide the expert
input needed to make risk management a viable reality. The expertise and energy that
molded the present security system must be harnessed and directed to meet the challenges
of the new security environment. The standardization of security training programs and
development of career development tracks are important steps in this process and should be
the primary goals of the training community. Uniformity in the skills and knowledge taught
security professionals is needed not only to ensure the quality of work but also to foster
a common understanding and implementation of security policies and procedures. The
demonstrated need for reciprocity among government agencies and facilities argues strongly
for the creation of a career program structure with defined levels of proficiency for
security disciplines, professionalization criteria, cross-discipline training, rotational
assignments, and opportunities for advancement.
As noted in the Information Systems Security Chapter of this report, no where is the
need for standardization and professionalization more apparent than in information systems
security. Because of a lack of qualified personnel and a failure to provide adequate
resources, many information systems security tasks are not being performed adequately. Too
often critical security responsibilities are assigned as additional or ancillary duties.
We have not identified all of the missions and functions to be performed by information
systems security professionals and lack comprehensive, consistent training for information
systems security officers; security engineers charged with developing secure systems,
networks and security tools; and certifiers and accreditors who can assure us that our
networks operate securely. Additionally, in technical areas like information systems
security and TSCM, we should provide cross training between the defensive and offensive
sides so that the lessons learned by one side can be of benefit to the other.
Building on the informal cooperation which already exists in some places, a formal
partnership between the Defense and Intelligence Communities should be established to
achieve these objectives and to realize cost efficiencies. Such a partnership would be
based on the joint use of training facilities, the creation of common career fields and
professionalization programs, and the consolidation of training management functions into
an executive agent for security training. Working in cooperation with the agencies and
departments, the executive agent would:
- Identify and catalog Defense and Intelligence Community requirements for security
training and coordinate the development of courses to meet the requirements.
- Centralize training resources, facilitate community-wide access to existing training
centers and products, and focus investment in training technology.
- Implement curriculum review and instructor certification.
- Establish community course codes and create a central database of available training.
- Develop security professionalization criteria.
The Commission recommends that an executive agent for security training be
appointed. This executive agent should standardize security training, develop security
professionalization criteria, encourage joint use of training facilities, and emphasize
the development of information systems security training.
A focused effort is also needed to educate management as to its security
responsibilities and to teach principles of effective risk management and its application
to security countermeasures. As the insider is cited as the major threat to the protection
of information in government and industry today, managers must know how to spot troubled
employees, how to help them, what resources are available, and how to use these resources
to counter the insider threat.
Sensitizing employees to the continuing need for security will be a challenge in the
post Cold War environment. Government and industry must continue to be made aware of their
responsibilities in protecting our nation's assets. However, the Commission found that all
too often security awareness briefings, while a cost-effective way to reach the workforce,
are viewed as boring, irrelevant, and out-of- date. Presentations are often made in the
same manner regardless of whether the audience consists of new recruits or senior
management. Security awareness programs need to be tailored to the audience and refocused
to provide current, specific examples of the diverse and multifaceted threats, emphasizing
such topics as current counterintelligence issues and information systems security.
The Commission recommends that an increased emphasis be placed on developing and
funding security education courses for management and up-to-date security awareness
programs.
To proceed to Chapter Eleven click here.
| |
Report
....................
Chapters
|