To Train or Not to Train, That is Not the Question
Recently, CSO published an article suggesting that organizations eliminate security awareness training from their security programs. The article has stirred great debate in security circles, including this one.
Citing the “Carronade” phishing test failure at West Point in 2004, the author went on to claim that any investment in security awareness training “is money wasted”. The overarching theme of the piece suggested that human susceptibility is impossible to eliminate. Because complete (100%) security is impossible to achieve in this area, resources should be dedicated elsewhere.
If this argument were true, there would be no firewalls. No antivirus. No security controls of any kind.
Let me first say that I respect the author for offering a viewpoint counter to that of the masses, and for getting us to think a bit. Let me then say that I believe the author missed the point. It’s not about eliminating training, it’s about eliminating ineffective training.
Anyone who has been protecting things for any length of time knows that trust is hard to come by. And it gets harder every day. Consider this:
- Business has become complex, amorphous and dynamic. An increasingly younger workforce cares less about privacy and security. Wireless, social media, virtualization, mobility – all of these have made it harder to protect critical assets.
- Attackers are multiplying and motivations are increasing. China just arrested 10,000 online criminals and other individuals suspected of Internet crimes. 10,000. And hacking is still not illegal in most countries.
- The tools to steal banking credentials and roll malware can be bought online with incredible ease. They’re inexpensive and come with technical support, just like Microsoft Office. Anyone can get into online crime.
Fighting cybercrime is a $400B industry, and we’re just getting started.
So now ask yourself, what – or better yet who – are you trusting to protect your assets?
I offer this counterpoint to the CSO article; an effective security awareness training is the best, perhaps the only security practice that, done effectively demonstrates dramatic, measurable return in today’s environment.
Your employees are everywhere, and they do everything. They touch every database. Every SSN. Every locked door. Every web application. Every e-mail. Every credit card number. Every line of code. Every turnstile. Every firewall rule.
Get the right message to your employees on a consistent basis and you have solved a significant number of your security challenges, or at least reduced risk in those areas. Change your employees behaviors and you have instantly changed your security profile. There is no other single security control that has that same potential.
Today, you may be trying to save the company time by making training optional for employees. Today, you may be trying to save the company money by having the security guy deliver your training. Today, you may be trying to save the company energy by delivering the same PowerPoint slides to management, IT and staff.
Today, you are wasting your money.
Tomorrow is another day.