Learning In The Dark
Friday, 4-6 PM, Teaching Compliance.
I love a challenge but come on!
That’s a tough time slot for anyone, since you’re competing against a lot of much better options, not to mention it gets pretty cold and dark during the month of January. All of that coupled with having to teach compliance material and encryption methods meant I probably shouldn’t take it personally if the attendance was sparse.
During the PCI aspect of the course, I wanted to showcase how the standard impacts a security program by providing a real-world example of meeting a requirement, and given the immediate industry benefit, I found students were very eager to see that in action.
We’re Going to Have an Incident!
Requirement 12.10.2 specifies to test incident response plans annually. This effort is usually to ensure organizational alignment and awareness of the plan during a crisis, as well as (hopefully) identifying any gaps in response that would increase impact severity. When done properly, a table-top exercise provides tons of learning opportunities within any business. I knew the class room was no exception, but I wanted something that scaled well to 30+ students, provided ample teaching opportunity, aligned with PCI outcomes, and could keep everyone interested for two hours on a Friday night.
I have enough D20’s for everyone
I knew the correct solution to the requirements was something game like, and the concept of a Dungeons & Dragons style TTX adventure isn’t entirely novel, but I made some adjustments to align with the outcomes I needed. Instead of specific people playing roles inside a business, there were teams with shared abilities that moved the incident along. There were single students assigned to CEO and CISO roles within the game who had strategic level capabilities to help the incident in various stages. Compliance also had a team since the goal was to teach how incidents and compliance have overlap.
I didn’t have a lot laid out in formal fashion, since I wanted the experience to transpire organically which meant elements of randomness and improvisation would be necessary to keep things interesting, while allowing me to steer the direction of the incident and underlying teaching. Armed with a bag full of D20 dice, a loose agenda of at the very least teaching the six phases of incident response, and a strong background of standup comedy a new lesson plan emerged.
How could we as a business prevent this next time?
While this was a mock incident inside a fictional e-commerce company, it didn’t take long for my students to ask questions I would expect from the C-suite in similar situations. This led to a fruitful discussion about security program development, how compliance attestations can help that effort, common pitfalls in incident handling, and incident impact. This was especially surprising since the majority of the students had not spent any time within a corporate security program.
Achievement Unlocked, Learning In The Dark
Within a two-hour time frame typically reserved for happy hour or dinner reservations before a show, 30+ students received a thorough lesson covering incident handling & response, business layer impact, security program gap identification, and we managed to have no shortage of laughter about the in-game accidents along the way. The session was accessible to everyone, so while I encouraged everyone to feel free to speak up and ask questions, some preferred to watch and listen. There was no struggle to get people engaged in the process and the game became a frequent request for the remainder of the semester.