This is an old post written by Winn Schwartau in response to an article posted on Security Pipeline (now Dark Reading) called User Training Isn’t the Answer. When we searched for the original post, we could not find it in Dark Reading’s archives. But we feel that Winn’s response was so visceral and impassioned, that it should be shared again. Many people believe that training users in security awareness it not a valid use of resources, but we here at The Security Awareness Company disagree with that position. Our CEO and president explains why:
This is clearly an insane position. (With all due respect…)
First of all, clueless users are the leading cause of security problems and general corporate IT errors. Don’t forget that there is no difference between a security problem and a user mistake: the results are the same. So, do we stop training users because they are too dumb to be trained and then expect the technology to handle it all? I think not. Not in any major company I know of.
Second, the security examples given are fairly advanced security techniques, and certainly practiced in a minority of firms. Crypto of data storage is a management nightmare, time consuming, and prone to errors. Digital signatures are healthy, but don’t solve a damned thing in most cases. Sorry ’bout that. Automate updates? I think not. For those of you who experienced SP2 or other poor upgrades, no. I prefer for others to be guinea pigs – and I certainly don’t want a beginner messing with that stuff… version 1.0 of anything is a beta by default. 🙂
What our networks of customers want are the two major items that I have evangelized and taught for 20+ years:
1. We don’t want users to become security experts. We want them to know WHEN TO CALL the experts, and to have the “number” ready at all times. This is called damage mitigation, risk control and using human firewalls as part of an organization’s detection systems. Critical. (But not train them? Insane.)
2. Security should be made personal. Corporate policies are unreadable psycho-cyber-legal babble. Useless. But, if you train folks to take care of themselves and their families, security awareness resonates loud and clear.
That’s what a good security awareness program does: Creates a security oriented mindset, driven by personal needs and desires that is easily adapted to corporate security policy and procedure.
Ignore the insanity.
Remember: Security Awareness is the Leading Cause of Successful Security Programs.