Last Friday, Amrit again said that no wars are won through awareness and although he repeatedly claims that he’s not against user awareness training, he doesn’t really tell us where he thinks it should fit in. Instead he shows his bias as a former product manager and Gartner analyst and focuses purely on tools by providing a truly massive list of differing technologies that he feels shouldn’t be “de-prioritized”. Tools don’t mean jack if users don’t understand why they are there and how to appropriately use them. The appropriate time to being user awareness training is not after everything else is in place or even after “bare bones security measures” but right away.
The time (as Amrit puts it) to “skip barefoot and joyfully through the glass shards that are human behavior” is day one. That’s why at most large companies new employee orientation includes a copy of the employee handbook and includes a review of the contents. How hard would it really be to add in a bit about appropriate use? For that matter, companies that fall under SOX already have employees annually signing that they understand the corporate ethics rules, again a prime time to also remind them of information security. Sure it’s only once a year but combine that with monthly postings to an intranet site or email newsletter and suddenly with a minimum of effort you can make a huge difference. Will users occasionally still click on a virus infected email? Sure. Are they less likely to leave their laptops in the back seat of their cars if you give them an occasional reminder not to? You betcha and if I can reduce laptop loss by even a couple of percent or don’t have to fire an employee for misconduct, then it’s more than worth that minimum effort.

2 thoughts on “Awareness

  1. Great post guys! Amrit and I regularly fire at each other over this. You are right he says that he isn’t against UA training but he sure never gives us any evidence that he has any use for it. I’m a big proponent of UA Training and know that it won’t solve all the problems but it can take care of some that technology can’t handle.

  2. At the same time, there are some situations that training and awareness can not handle, ie. the vengeful or compromised insider, where technology is the only resort. That technology MUST involve additional internal controls that have up till now have been absent. None of the status quo models will work.

Comments are closed.