CHAPTER 10. SECURITY AWARENESS, TRAINING, AND EDUCATION The success of the Commission's recommendations to improve security will depend in part on how well we can incorporate the concepts of risk management, standardization, reciprocity, accountability and a service mentality into the way we do business and into the fabric of the workforce. The security education community has a critical role to play in this process. The Commission is proposing a fundamental change in how we view and manage security. The concepts espoused demand greater responsibility from each individual. Management must be educated as to its responsibilities in the new environment and provided the tools to apply risk management effectively. Multidisciplinary security professionals will need to know the "why" as well as the "how" of security in order to move away from a compliance or checklist mentality toward a customer service philosophy. Employees will need to understand their critical role and feel that they have a personal stake in identifying and implementing the goals and objectives of their organization in protecting its assets. The Present The Defense and Intelligence Communities each have extensive training infrastructures in place focused primarily on their own needs. Interaction with respect to curricula and access to courses and material is, at best, informal among the various training facilities. Training criteria and requirements also vary between agencies and departments resulting in uneven performance levels of security officers. While the Commission recognizes the need for agency and department specific training and criteria, these independent efforts produce an inconsistent quality of training, result in a duplication of effort, and reinforce the parochial interpretation and implementation of national policy. The Commission has also found that despite the importance of security awareness, training, and education programs, these programs tend to be frequent and ready targets for budget cuts. Training for the Future The security system of the future will place greater demands on the entire workforce, but especially on the security professionals. The focus on creative, cost-effective solutions to security problems will require a thorough understanding of both the spirit and the letter of security policies, practices, and procedures. The security professionals will be asked to implement the changes that we are proposing and to provide the expert input needed to make risk management a viable reality. The expertise and energy that molded the present security system must be harnessed and directed to meet the challenges of the new security environment. The standardization of security training programs and development of career development tracks are important steps in this process and should be the primary goals of the training community. Uniformity in the skills and knowledge taught security professionals is needed not only to ensure the quality of work but also to foster a common understanding and implementation of security policies and procedures. The demonstrated need for reciprocity among government agencies and facilities argues strongly for the creation of a career program structure with defined levels of proficiency for security disciplines, professionalization criteria, cross-discipline training, rotational assignments, and opportunities for advancement. As noted in the Information Systems Security Chapter of this report, no where is the need for standardization and professionalization more apparent than in information systems security. Because of a lack of qualified personnel and a failure to provide adequate resources, many information systems security tasks are not being performed adequately. Too often critical security responsibilities are assigned as additional or ancillary duties. We have not identified all of the missions and functions to be performed by information systems security professionals and lack comprehensive, consistent training for information systems security officers; security engineers charged with developing secure systems, networks and security tools; and certifiers and accreditors who can assure us that our networks operate securely. Additionally, in technical areas like information systems security and TSCM, we should provide cross training between the defensive and offensive sides so that the lessons learned by one side can be of benefit to the other. Building on the informal cooperation which already exists in some places, a formal partnership between the Defense and Intelligence Communities should be established to achieve these objectives and to realize cost efficiencies. Such a partnership would be based on the joint use of training facilities, the creation of common career fields and professionalization programs, and the consolidation of training management functions into an executive agent for security training. Working in cooperation with the agencies and departments, the executive agent would: o Identify and catalog Defense and Intelligence Community requirements for security training and coordinate the development of courses to meet the requirements. o Centralize training resources, facilitate community-wide access to existing training centers and products, and focus investment in training technology. o Implement curriculum review and instructor certification. o Establish community course codes and create a central database of available training. o Develop security professionalization criteria. Recommendation 74 The Commission recommends that an executive agent for security training be appointed. This executive agent should standardize security training, develop security professionalization criteria, encourage joint use of training facilities, and emphasize the development of information systems security training. A focused effort is also needed to educate management as to its security responsibilities and to teach principles of effective risk management and its application to security countermeasures. As the insider is cited as the major threat to the protection of information in government and industry today, managers must know how to spot troubled employees, how to help them, what resources are available, and how to use these resources to counter the insider threat. Sensitizing employees to the continuing need for security will be a challenge in the post Cold War environment. Government and industry must continue to be made aware of their responsibilities in protecting our nation's assets. However, the Commission found that all too often security awareness briefings, while a cost-effective way to reach the workforce, are viewed as boring, irrelevant, and out-of-date. Presentations are often made in the same manner regardless of whether the audience consists of new recruits or senior management. Security awareness programs need to be tailored to the audience and refocused to provide current, specific examples of the diverse and multifaceted threats, emphasizing such topics as current counterintelligence issues and information systems security. Recommendation 75 The Commission recommends that an increased emphasis be placed on developing and funding security education courses for management and up-to-date security awareness programs.