Good vs Bad Security Awareness Training
By stiennon on Thu, 07/31/08 - 3:25pm.
Every corporate policy on security I have seen and most best practice guides demand an active security awareness training program. I have never been a fan of the concept because it seemed like perfectly good money being wasted both in hard dollar terms (the cost of training material, posters, CBT, and teachers) and the soft but equally real costs (taking people away for from their jobs on an annual basis).
But it has been pointed out (by me) that most of what I do: public speaking, this blog, and my columns is actually security awareness training as I inveigle corporate leaders to pay more attention to the threats from cyber criminals, extortionists, and now spying nation states.
So, yes, there is good security awareness training. But I do not include teaching Bobby in reception how to avoid being taken in by Kevin Mitnick. It is futile and silly to expect your average employee to become paranoid enough to ward off social engineering attacks. Rather than invest in posters in the elevators exhorting people to stop strangers in the hallway, you should be investing in better security technology. Need to train people to change their passwords every three weeks? Just institute an Identity and Access Management solution that forces them to. Need stronger passwords? Go for one time tokens.
What kind of security awareness training do I like? I love training IT administrators and developers in hacking techniques. If they see how simple it is to break in or bypass applications they will institute better controls and write better code. There are lots of hacker training classes. I will compile a list and post it here. If you have a favorite class let me know either by email or leave a comment.
- About Stiennon onSecurity
Richard Stiennon is a security industry analyst. He is currently consulting, speaking and writing on all manner of security topics for IT-Harvest, the IT research firm he founded to cover the security space. He was most recently chief marketing officer for Fortinet. He has served stints at PricewaterhouseCoopers, Gartner, and Webroot Software.
Sponsored Links
- Efficiency goes up. Costs come down.- Microsoft
- SQL Server Experts: Virtually unstoppable- Microsoft
- Stay informed with custom newsletters from Tech Dispenser- Tech Dispenser
- FREE LCD Console and 16 node central management tool with purchase of any KN4 series IP KVM- ATEN
- Drive down operating expenses and mitigate risk with app centralization - Live May 12.- Juniper Networks
- The Next Generation of Content Security Has Arrived! Learn More!- Websense, Inc.
- Connexion saves costs with Microsoft & Novell- Novell Microsoft
- Masters of Virtualization and Cloud Computing- Trend Micro
- Hitachi IT Operations Analyzer—30-day free trial- Hitachi Data Systems
- Are you gambling with your data? It is at risk. Find out and protect it.- Ultrium LTO
-
Network World, Inc
The Leader in Network Knowledge
Awareness Training
I fully agree that the typical awareness training course is a waste of resources. But I don't agree that Bobby in reception can't be trained to do things in a more secure.
The problem is that training alone won't do it. A culture of secure practice in Bobby's organization is needed. If it is SOP not to, say, click on a link, and there are consequences to getting infected, then Bobby will be less likely to do what he shouldn't.
How does one get there? I have some ideas, but no firm answers. Culture is certainly hard to change, and the goal I've outlined may be worthy of Quixote. But until we begin think in terms of having an entire organization behave securely, we'll be at the mercy of Bobby and his ilk, those users too many of us believe are too dumb to teach.
Frankly, relying on too much technology is just stupid.
Advocating little to no training for employees is just asking for trouble. As well as relying just on technology to solve the problems is akin to how the intelligence community functioned before 9/11.
You have to have the people involved and no, they don't have to be as clued in as someone who is a security professional. At least a modicum of knowledge, intuitiveness, and training would stop many attacks from the lower spectrum of intrusions.
The trick is to get the people motivated and not just have some static and uninteresting presentation.. like a ranty rant blog entry on how useless employee trainning is over buying more expensive technology.
Technology and training is not enough
Technology alone is not the answer as what technology can cater for people sharing their passwords, proping open fire exits so that they can have a cigarette without going through access control? It seems that many security directors just want a 'tick in the box' and invest in training products that employees go through once a year. In my experience technology, training and ongoing security awareness is the way to keep security in everyones minds. Regular reminders that are engaging, presented in a variety of mediums and which clearly answer the 'why should I do this?' question are key.