Security training and awareness entails awareness creation, security information sessions an materials, education, educational programs, certification of people and all related formats and programs designed to inform and support people in understanding about cybersecurity.
Security training programs will need to be an integrated part of a security strategy and policy. Next to the definition of risk, design of security policies describing how people should be getting or not getting access to specific environments, the people operating these environment should be instructed properly.
Security training and education can be system and operation specific, but needs also to accompany the company and plant specific guidelines in security.
Training and education should be a continuous activity, including repetition of elements of importance and strategic relevance.
Security education programs should be adapted to specific departments, or groups of people, depending on their levels of maturity, systems access and responsibilities.
Security education can be educational programs outside of the organizations, at specific dedicated educational organizations (private, high schools, universities, ... ) or within the organization itself. Some companies organize a one day educational course on cybersecurity, while others provide access to courses online.
These educational programs can be followed by assessments, and can lead to the provision of certificates of attendance or qualification.
Programs related to Cybersecurity can be CISSP (Certified Information Security Professional), CISM (Certified Information Security Manager), CISA (Certified Informatio Security Auditor).
Other Cybersecurity educational programs will relate to specific components in the Cybersecurity architecture, such as Firewall, Monitoring, Identity & Access expert.
Organizations can provide educational programs from within their internal organizations (own developments or licensed from educational organizations), or can develop a specific cybersecurity program dedicated to a specific application or service which has been developed.
Cybersecurity awareness programs are more informative than educational programs, typically less attention demanding, less lengthy, but aimed to a specific series of rules, or oriented to relate to a specific behavior instead of knowledge transfer.
The awareness program can indicate that the company is concerned over cybersecurity and draws attention to its employees how to handle incoming emails, watch out for suspicious behavior, means to detect that it is suspicious and what NOT to do with it. It can indicate the impact by means of a short movie, without going into detail on the whole architecture behind it.