Train Barefoot Doctors in Your Organization

By Rob Lelewski, CISA, CRISC, CISM, CCE, CISSP-ISSMP, EnCE, GCIH

The Nexus  |  Monday, 11 June 2018

In the mid-20th century, rural China lacked basic healthcare services. This occurred for a variety of reasons, but the end result was obvious: without basic healthcare services, the ability to treat simple illnesses or educate the population on proper hygiene or family planning was limited or nonexistent outside of large urban areas. For a country as geographically large as China, the status quo was not tenable.

To remedy this solution, during the Chinese Cultural Revolution epoch, the Chinese government codified its efforts to bring medical expertise to rural villages by training farmers in basic medical knowledge. These trained rural citizens became known as “barefoot doctors,” a name that stemmed from the fact that the rural farmers often worked barefoot while tending to their agrarian works. These barefoot doctors were certainly not trained to perform surgery or treat cancer; however, they were capable of treating many simple ailments and promoting healthy lifestyle practices within their villages. Should something more critical arise that was outside the expertise of the barefoot doctors, experts were available in urban centers.

By this point, you might be wondering if you clicked on the wrong link and how this applies to information security. I promise, we will get there.

The concept of barefoot doctors, which is to train everyday citizens in basic, but specific, skill sets to assist their community when high-level expertise is not immediately available, is alive and well throughout many communities. For example:

  • The Denver (Colorado, USA) Regional Transit Authority trained everyday transit riders in first responder skill sets so that if an emergency occurs involving a bus or light rail, there are increased odds that a transit rider knows the basics of what to do until the experts can arrive and can assist the experts when they do arrive.1
  • The Red Cross trains individuals and entire businesses in cardiopulmonary resuscitation (CPR). Should someone stop breathing, it is unlikely that a medical professional will be able to respond as quickly as desired (i.e., instantaneously). The more people trained in CPR who are nearby, the more likely it is that a person trained in basic CPR knowledge will be able to keep the victim alive until the trained first responders arrive.

The Denver Regional Transit Authority and the Red Cross are essentially training barefoot doctors by providing specialized knowledge to be applied in unique situations where experts may not be available.

How does this relate to information security? Just as barefoot doctors were valuable in rural China, they can be just as valuable to your organization.


How valuable would it be to your information security posture to have key representatives within your organization trained to identify and properly react to a security incident?

How valuable would it be to your information security posture to have key representatives within your organization trained to identify and properly react to a security incident? These barefoot doctors, which may be representatives from human resources, risk, legal and other traditionally nontechnical functions, would receive additional training to identify and properly react to a security incident. These trained individuals would be known to their peers and, when a potential information security incident occurs, an employee may be more likely to discuss the incident with one of the barefoot doctors (their peer), prior to escalating it to information security.

Of course, training employees in information security is not a new concept and should be a part of an annual training program. It is well known that information security is limited in technology and manpower and cannot watch everything everywhere. Training barefoot doctors within the organization is an excellent method to provide additional information security knowledge to key individuals who may be likely to hear of an information security incident before the information security team.

Rob Lelewski, CISA, CRISC, CISM, CCE, CISSP-ISSMP, EnCE, GCIH

Is a team lead for Secureworks’ proactive services and focuses on helping organizations prepare for cybersecurity incidents by creating and reviewing incident response plans, performing tabletop exercises, and conducting other activities to help improve his clients’ security posture. He is a regular contributor to The Nexus and muses about information security topics.

Endnotes

1 Regional Transportation District, Community Emergency Response Training, Denver, Colorado, USA