Security awareness

Who Should Be Able to Opt Out of Security Awareness training - and How

Ian Palmer
March 9, 2016 by
Ian Palmer

Brad Johnson is adamant that no one in an organization should be exempt from security awareness training. Not the CEO. Not the chief security officer. Nobody.

Johnson, the vice president of SystemExperts, says that making exceptions on the security awareness training front would only open companies up to a host of problems that otherwise might have been avoided.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

"Who should be able to opt out of security awareness training? The simple answer is nobody," says Johnson. "Yes, I said nobody. What about the chief security officer?  Nope. What about the director of IT management? Nope. And so on, and so on. Let's ask this same kind of question in a different context. What NFL player should be able to opt out of practice? Should an NBA player be able to opt out of warm-ups?"

Johnson, who has participated in seminal industry initiatives including the Open Software Foundation, X/Open, and the IETF, is one of the many experts who insists on providing training without exceptions. Rather than considering who should be able to opt out of security awareness training, Johnson says that companies need to mull instead over what sort of training should be provided to employees.

While the experts believe that everyone from the top to the bottom of organizations need to take security awareness training, some believe that the trainers who lead out in such programs can potentially be exempted on account of their extensive knowledge base and expertise.

Background Stats

According to the 2015 US State of Cybercrime Survey, cyber security incidents are both increasing in number and becoming more and more destructive. Moreover, adversaries behind the attacks are investing not only in technologies but also in training their crews to attack with greater efficiency. If the bad actors believe in training, then so, too, should the companies that often find themselves on the receiving end of cyber attacks.

The study notes that businesses that invest in and implement new technologies to safeguard against cyber attacks, without updating processes and giving workers training, will probably fail to get the full value out of their spending. And while security awareness training is critical, only 50% of survey respondents acknowledge that they run periodic security awareness and training programs, and only 50% of respondents admit that they provide security awareness training to new hires.

Training for All

CenturyLink CSO Dave Mahon previously served the FBI for over three decades, during which time he was responsible for investigative teams and programs that dealt with targeted attacks on the Internet, computers systems and networks.

Asked if there are situations where it might be okay to allow workers to forgo training, he says that his general response is no. There may be extenuating circumstances, though, like illnesses where workers miss training or unique situations where certain employees may not have to access the corporate network or to look at the data.

"Could there be one-off scenarios, yes," he says. "But keep in mind what the objectives of all employees, really, and all contractors or third parties who connect to your network or have access to your data is. If you think about the objective of training initiatives, those objectives help you decide if there are any exceptions that should be allowed."

On the cybersecurity training front, the objective of all training for employees and contractors is to be certain of the availability, safety and integrity of corporate networks and data, says Mahon.

"If you look at the incidents that occur in a corporation the size of CenturyLink, which is about 44,000 employees and another 20,000 contractors, a high percentage is caused by employees," he says. "Most of it is caused by good employees who make a mistake, do something over the normal course of the day unintentionally."

Ensuring that workers understand how to conduct themselves when using the corporate network is the responsibility of the information security team, notes Mahon, and this means that the team needs to provide the right sort of security awareness training.

There are many good reasons why businesses shouldn't permit their employees to skip security awareness training, adds Rob Kraus, director of security research and strategy for Solutionary.

"Security awareness training is an opportunity for organizations to reinforce existing policies, and to update employees on changes in these policies which they might not be aware of," says Kraus, who specializes in vulnerability research, threat intelligence, incident response, application security assessments and attack mitigation tactics. "It also allows organizations to introduce new policies and procedures that have developed since the last training session."

It's also important for companies to ensure that security is part of their corporate culture and that they send the right message to their workers, says Kraus, author of Seven Deadliest Microsoft Attacks and co-author of Seven Deadliest Network Attacks.

Excusing the Trainers?

Agreeing that there should be no exceptions, Morey Haber, vice president of technology for BeyondTrust, adds that the trainers could warrant an exception.

"There should be no exceptions to security training within an organization except for the trainer…, which is obvious if internal staff does it," he says. "The trainer has gone through extensive preparation…and should be certified as a CISSP or equivalent in order to perform the session. Their preparation far exceeds the material being delivered and basically makes them exempt."

Haber, who joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition and currently oversees strategy for both vulnerability and privileged identity management, adds that – outside of trainers – security training should include everyone in the organization. That includes IT staff, security pros, and executives.


"Basically, it should be mandatory, just like any other mandatory program an organization has established," says Haber. "It also sends a strong and healthy message to all employees that anyone at the organization can be a victim of a cybercrime and that all individuals need to be…reminded of what to look for and how corporate policy includes them."

Mahon certainly agrees that IT staff, security professionals, and executives need to undergo training, but he disagrees with the idea of granting the trainers exemptions. The first reason to train the trainers is that they need to set the example.

"Number two, very smart people who think they know a great deal are frequently the ones who are victimized during a compromise," says Mahon. "They need the training like everyone else. I would not exempt them at all. In fact, you could make a very logical argument that they are at a higher risk of causing damage to the company simply by the nature of their position in the company, the level of access they would have…"

What Kind of Training?

At the end of the day, what it comes down to is figuring out what sort of training workers need to help them avoid being victimized by a cyber attack. And that's where the hard work comes in because companies need to figure out how much training workers need, how often they need it and when they need it.

"The real question is: What kind of security awareness training is appropriate for you?" says Johnson from SystemExperts. "Everybody needs to spend time and energy on reminding themselves of what's important to be successful in their job and…what's important for everybody else to be successful."

Get six free posters

Get six free posters

Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.

Everyone, after all, requires some sort of security awareness training, he notes, and this training must reflect both skill level and duties in the workplace.

Ian Palmer
Ian Palmer

A Canadian currently based in Ontario, Canada, Ian is a researcher for InfoSec Institute. Over the years, he has written for a number of IT-related sites such as, and