Are You Providing Cybersecurity Awareness, Training, or Education?
When I attend trainings, conferences, or briefings, I usually end up listening to someone reading slides about a problem. Rarely am I provided with any solutions or actions to remediate the problem. As a cybersecurity trainer with 17+ years of experience and a degree in education, I understand that developing a good presentation is a challenge in any domain. Fortunately for cybersecurity professionals, the National Institute of Standards and Technology (NIST) can help you choose which kind of presentation to give. This blog post will review the three types of presentations defined by NIST: awareness, training, and education.
What are you presenting?
You have to know whether you're delivering a presentation for awareness, training, or education. Here are the definitions, according to NIST Speciation Publication (SP) 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model.
Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. - NIST SP 800-16
If the purpose of your briefing is to simply tell your audience about a topic or problem so that they can respond, you're providing awareness. Provide the information and suggest actionable solutions for your audience.
Training strives to produce relevant and needed security skills and competency by practitioners of functional specialties other than IT security (e.g., management, systems design and development, acquisition, auditing). - NIST SP 800-16
Describe the new skills, provide practice--either guided or independent--and maybe even provide a checklist or job aid that will prompt the audience to use those new skills and abilities after they leave your presentation. Your checklist or job aid will not only improve that person's work, but the cybersecurity of their office, and the transference of that skill to others within their organization.
If you want to change their normal behaviors, then you are providing training.
Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge, adds a multi-disciplinary study of concepts, issues, and principles (technological and social), and strives to produce IT security specialists and professionals capable of vision and proactive response. - NIST SP 800-16
Education is generally thought of when beginning or entering a new field. For example, a high school graduate or someone changing careers would attend a college or university to receive an education in cybersecurity. This audience must learn the breadth and depth of knowledge necessary to begin a successful career in the cybersecurity industry. Once on the job, they would receive job-specific training to focus their knowledge to successfully complete the tasks of their employment.
At the Software Engineering Institute and within Carnegie Mellon University, we provide awareness, training, and education to a variety of audiences. Knowing which to use in the right situation is important.
- If your audience needs to know about a cybersecurity situation so they can devise a solution, you are providing awareness.
- If you are trying to change your audience's behavior or improve their knowledge, skills and abilities to improve their cybersecurity, you are providing training.
- If you are trying to create well-rounded cybersecurity professionals who can take what they have learned, add it to other knowledge, and expand it to different situations to improve the overall body of knowledge of cybersecurity, you are providing education.
Here is my final piece of practical advice, especially when speaking to cybersecurity professionals: Your audiences should always leave with new information, a new way of operating, or a list of tasks to perform or complete. If you can do that, you can make a difference in the way your audience conducts cybersecurity and protects the information entrusted to their care.