Security certification

Aside from the elevator pitch, another short awareness item in our newly-revised Information Security 101 module is a course completion certificate, simply acknowledging that someone has been through the induction or orientation course.

I say 'simply' but as usual, there's more to it.

For a start, some of us (especially those who consider ourselves 'professionals') just love our certificates: our qualifications and the letters before/after our names mean something to us and hopefully other people. This is a personal thing with cultural relevance, and it's context-dependent (my 30-year-old PhD in microbial genetics has next to nothing to do with my present role!). My even older cycling proficiency certificate is meaningless now, barely a memory, but at the time I was proud of my achievement. Receiving it boosted my self-esteem, as valuable a benefit as being able to demonstrate my prowess on two wheels. I'm tempted to use Cprof on my business cards just to see if anyone reads them!

On the other hand, a certificate indicating a pass mark in some assessment or test can be misleading. The driving test, for example, is a fairly low hurdle in terms of all the situations that a driver may have to deal with over the remainder of their driving career. There is clearly a risk that a newly-certified and licensed driver might be over-confident as a result of passing the test and going solo, a time when accidents are more likely hence some countries encourage a subsequent period of driving with special P-plates (meaning probationary, or passed or potential or ...) in the hope that others will give new drivers more space. In risk terms, there are risk-reduction benefits in letting new drivers continue to hone their new-found skills, offsetting the increased risk of incidents.

In the same way with the InfoSec 101 course completion certificate, we're glad to acknowledge the personal achievement and boost people's self-esteem (yay - something positive associated with information risk and security!), although there is a risk they might believe themselves more competent in this area that they truly are. On balance, we'd rather deal with that issue, in part through the ongoing security awareness activities that delve deeper into areas covered quite superficially in the 101 module, across a broader range of topics, and partly through the corporate support structure, processes  - the security culture that will be covered in next month's awareness materials.

Perhaps at some later point well after induction, it might be appropriate to test workers again then issue the equivalent of those advanced driver certificates, accompanied with benefits analogous to lower insurance premiums? We include awareness tests in every module, so it's certainly feasible to track their scores and reward the star performers. There's even a rewards menu in the 101 module, complete with bronze, silver and gold-level certificate ideas, among many others.

Notice the emphasis on positivity and reward. We'd much rather focus on those who pass and succeed, than those who fail. Let's be frank here, failing something as basic as an InfoSec 101 awareness test (or driving test!) is really bad news, perhaps even justifying dismissal of new workers at the end of a probationary period. Such a hard line is something organizations might consider appropriate or necessary, especially in industries where information risks are substantial (e.g. defense, critical infrastructure, finance, government, health and IT), but it's not part of our remit. Personally, I would find such an approach unacceptable: instead I'd rather settle for remedial one-on-one training and limiting access to information until a passing grade is attained. To be honest, I'm more comfortable passing the buck to local management and HR in such delicate areas, especially given the employment law compliance implications.

There's another aspect to the 101 course completion certificate, concerning the award issue process itself: we provide a form letter to be sent along with the certificate by or on behalf of the CISO, ISM or some other appropriate manager. Most of all, it's an opportunity to re-emphasize that newcomers are integral, valuable parts of an organization that proactively protects and exploits information. Encouraging further contact between workers and the Information Security function bolsters the social network, directly supporting the oft-espoused but generally vacuous line that "We are all responsible for information security".  Yes we are, but there's more to it than trotting out some trite line on a poster or policy.

By the way, that's NOT our certificate imaged above. Ours is more classy, more refined, more attractive, more valuable. At least we think so. Aside from the execution, the concept is invaluable. And now it's yours.