Security Awareness Training? Do I Really Need One?

“By cybersecurity, do you mean the awareness course we have to take to make sure our bosses know we’re not clicking on sketchy links or handing over client information?” As young professionals, we’ve all received that email with the annual cybersecurity awareness training, reminding us not to forget to lock our computer or click on any sketchy links. And in my experience, for many professionals, that’s where their cybersecurity knowledge and interest ends. That’s why I’m going to tell you about my experience and how I ended up in one of the most important areas of IT: Security.

More Security Equals Less Usability

When I entered the professional world, this first sentence is pretty similar to what I experienced and thought of when I heard about the awareness courses. It was something we had to do in order to continue working with customer data. We all knew about the GDPR and how the rules made our jobs more difficult — but again, better for the customers. Before I started my IT career at NS, I had several jobs — mostly in retail and tourism, where I’ve been involved with security in different forms in more or less every job I’ve had. And like many other young professionals, I think that the security measures taken within the organization and the security awareness courses were all done with good intentions to spread awareness, but didn’t quite get the attention they deserved.

Before I started at NS, I worked at Amazon Customer Service, which is a company with a very strict security policy regarding customer data — which is great for the customers, of course. But all I could think about was how it made my work a lot more inconvenient, and how I found it annoying that I couldn’t even have my cell phone with me at my desk. But how did the journey start that took me from this perspective to being a security consultant at NS?

The Beginning of the Change

When I finished high school and was at the point of choosing a career, I knew I wanted to work for the people. I have a strong sense of justice. So the choice to study law was a natural one. In 2021, I graduated with a Bachelor’s degree in Law (with an interest in Criminal Law and GDPR), which makes me believe that I am perhaps a bit more aware of the risks and certainly more aware of the rights than I would have been without this degree. However, security in the technical depth was still vastly unfamiliar.

When I started my IT career, I expected that to change — that as a technical person with more knowledge about the dangers of the World Wide Web, I should be able to protect myself from vulnerabilities. My way into the IT world was through an internship with Young Capital, which, if you read between the lines, means that I have no formal IT education. I’ve had a passion for technology and computers for many years. When I was about 10 years old, I literally built my first computer with my father. Law was exciting, but technology even more. As a girl, I never thought that IT would be anything other than a hobby. I still have flashbacks of being a kid and trying to hide from my girlfriends that I liked to play games other than The Sims (and even that was on the edge).

So when I finished my bachelor’s degree, I decided to learn programming. Within a few months I was writing my own programs in Java and applied for an internship at Young Capital. Lucky for me, I got a place on the program. Through Young Capital I was also trained, but mostly in programming or the different systems/applications that programmers use every day, like Azure or Docker. In other words, from a security point of view, I had a pretty blank slate at the start.

The thing is, at NS I started as a developer in a database program, which meant I had access to all the sensitive customer data. Our main focus was on programming and operational tasks, which meant that very little time and effort was spent on security. To be honest, it didn’t even occur to me that I was sitting there with the crown jewels of NS in my hands.

I asked myself, “What is cybersecurity and why do we have it? Why bother? The hackers are too resourceful anyway, right?”

All companies have valuable assets — in information security, this is most often sensitive customer (and employee) data. The concept is not that hard to understand. The point is that developers, like me, don’t necessarily see it as clearly as a security professional. When you look at something so closely as a developer, you don’t really see what the whole thing is. Let alone its role and risk in the overall system, and there’s absolutely no shame in that.

The thing is. Security isn’t just about making the system hard to hack so that our data is safe, it’s also about everything around us. For example, what good are security measures if unauthorized people can get into our building and access our equipment? Or if none of our cleaning and maintenance personnel can work, and our workplace is contaminated to the point where no one can work? How do we ensure that our environment is safe?

“Security is holistic.” This means that security surrounds us in everything we do.

As my very knowledgeable safety trainer taught me (and yes, I can still hear his voice in my head as I write this): “Security is holistic”. This means that security surrounds us in everything we do. It’s not just about making sure you don’t click on that sketchy link — it’s about making sure you don’t let a stranger into our department, making sure the right employee gets the right access to an internal system, or making sure your computer screen is locked when you leave your desk so that no unauthorized person can access sensitive data.

Hackers are resourceful. They are creative, smart, and always one step ahead. Without security and defense, companies would not be able to do business. I believe that customer loyalty goes hand in hand with security. If the customer knows that their information is protected, they are more likely to trust the company, which leads to loyalty. Without loyalty, the company has no business.

What I didn’t realize until I discovered the world of cybersecurity is that as a developer, I also have a responsibility. A company’s security is as weak as its weakest link. Harsh, but true. That means if one person is completely clueless about security, it doesn’t matter how many security specialists there are and how much money the company has spent on security controls. If that one person accidentally puts information in the wrong hands, it’s enough to break the system.

This is why we as employees are told to have strong passwords, preferably with letters, numbers and symbols. It’s also why we shouldn’t share our passwords with anyone. Do you know how long it takes to crack a password without symbols, with about 8 characters? About a minute. Shocking, right? This is exactly why awareness is so incredibly important, and why companies like NS are going to great lengths to spread the word.

So how did I end up in the most exciting field in IT?

How did I end up in cybersecurity? First of all, I think because I have a great sense of justice and with my background in law. Second, I saw and still see a huge need for awareness among people. I don’t necessarily mean just employees — I mean all people. Security has really become my passion and I’m happy to share my knowledge with the people around me, so it was a natural step and transition in my career. I see a huge gap between the knowledge of an employee inside the security field and an employee outside the security field. This alone can be a threat to any organization and can only be solved with training, awareness and knowledge sharing.

The common thread is that security is so much more than just making sure that hackers do not successfully penetrate our systems, it is also about increasing the knowledge of all employees. The threats are becoming more serious and, as mentioned above, hackers are very resourceful. That’s why it makes me proud that companies like NS are making sure that we are protected against it, through measures, but also awareness, and also why security has been put in the spotlight. An example of this is the ISO certification we’ve just received. These are all things I really wish someone had told me from the beginning. And with this, I hope to reach the employees who think like me. Together, and only together, we can make a change for the better.