Creating a Cyber Security Culture That Sticks: ISMS Training Review

A number of years ago, we here at Pipedrive went from seeing ourselves as a SaaS startup to realizing our responsibility as a medium-sized technology enterprise.

It was time, as a leading sales CRM, to invest further in our security credentials to provide peace of mind to our *|NR_CUSTOMERS_EN|*+ customers that their data is in safe hands. We tested and rolled out various ways of security training our engineers. Here's what we learnt (the hard way) so you don't have to.

What's an ISMS?

According to TechTarget, an Information Security Management System is:

"An information security management system (ISMS) is a set of policies and procedures for systematically managing an organization's sensitive data. The goal of an ISMS is to minimize risk and ensure business continuity by proactively limiting the impact of a security breach."

4 tips for creating a cyber security culture that sticks

1. Appoint a cyber security 'guru' to be your always-on champion.
2. Involve HR and make cyber security a recognized credit/development opportunity.
3. Set your standard then benchmark employee knowledge levels for tailored development to reach your goal.
4. Culturally, one or two people attending a cyber security class won't get a whole company to care. Why not promote awareness of the implications and outcomes of a cyber attack? People can then visualize one actually happening.

Cyber security online training courses

Online courses are readily available, we used OWASP's web application security training with mixed results. Primarily because our people had different knowledge levels and as a ‘one size fits all' course, it didn't benchmark their ability and tailor course content accordingly. As a result, this learning method may be best suited to SMB's.

Experienced people felt we had wasted their time and the inexperienced, however excited, could not apply the information to the real world, nor did they share their newfound knowledge with peers! So, in summary, online courses are:

✓ Accessible and affordable

× One size does not fit all

× Not practical, therefore easy to forget

× Not cultivators of a security culture

If you have a number of IT and security staff that you could train, but only a limited budget, why not find out who is motivated in the first instance. Try optionally sharing an open source training course to see who takes it up.

Winner: Live cyber security competitions

Rangeforce Cyber Sieges are live competitions for your team and were the most inspirational and effective training method for Pipedrive.

People were put into teams of 8 to 10 and were tasked with protecting a website from a variety of cyber attacks. It doesn't get more real than that. (Until it's real of course.)

Using a virtual private network, your technical staff have to perform under pressure and learn the consequence of cyber security failures.

Individuals working alone enables workforce benchmarking, while them being grouped into teams and pitted against other teams encourages teamwork and heightens the urgency - just like a real life attack.

Performance is measured by:

• The time it takes to defend the attack.
• The technical solution(s) used to resolve it.
• The order in which defense is approached.
• How well security is achieved by teamwork.

We plan on doing ongoing Rangeforce Cyber Sieges because they get people fired up about security knowledge sharing. They also emphasise achieving security in the fastest most effective way possible:

✓ New cyber security knowledge

✓ Live practical learning

✓ Rectifying security flaws at speed

✓ Practice at designing and securing code

✓ Benchmark individual performance for development

Rangeforce is challenging yet fun thanks to the gamification experience. We are sold!

In a cyber attack you are only as strong as your strongest link. Teams with good leadership solve cyber attacks faster than individuals.

How we maintain and raise Pipedrive's cyber security bar

1. Cyber security training (all Pipedrivers)
2. Privacy training (all Pipedrivers)
3. Cyber security in practice (all engineering and technical Pipedrivers - where the highest 10 percent receive advanced training and the lowest 20 percent receive experience-raising training)
4. A dedicated team of cyber security experts

Classroom learning

The classroom learning we tried was similar to the online course; it didn't provide a practical learning opportunity. Participants got to know a body of knowledge - but didn't get to apply it. Again, learnings were not shared with peers.

✓ Basic, intermediate, advanced level

✓ Investment in your people

× No practical application

× No opportunity to test knowledge

The long term benefit to an organization from classroom learning is questionable from our experience, so the winner is clear!

For comprehensive ‘classroom' learning look at SANS. They're pricey but provide the fullest cyber security education with coursework and qualifications.

The reactions so far from the training here at Pipedrive have been so positive that people have been ASKING to get involved - which is fantastic!

Training is only one piece of the Information Security Management System puzzle, of course. Nevertheless, it's arguably the most important piece.

How have you approached cyber security training?