I'm generally reluctant to criticize colleagues, but occasionally they come up enough drivel to spur me into action. I was disappointed, to say the least, to read that Stuart King, a kindred spirit and fellow blogger, has taken to rubbishing the value of security awareness projects. Pay no attention to his ramblings. He's got it completely wrong.
Stuart's own initiatives might have failed to hit the spot, but there are still massive benefits to be gained from well designed security awareness initiatives. I've seen huge drops in security incident levels through smart educational projects.
The problem is that this is not a subject that amateurs can easily tackle. Many security awareness projects are poorly conceived and consequently ineffective. So don't judge them all equally. The solution is to get it right, not to broadcast failings. Just because you can't do it doesn't mean that others can't.
Comments (1)
Dear David,
I must confess I'm completely with you on this one. I am seeing an increasingly worrying trend of firms de-emphasising security awareness programmes because they have implemented technical controls instead.
I attend endless vendor presentations pushing encrypted USB sticks, content filtering and similar technologies, and organisations are starting to believe that people can no longer be the problem because "we've encrypted our laptops/UBS sticks/phones" or whatever.
They couldn't be more wrong. Over-reliance on technical security and compliance controls leads to a false sense of security.
The last two years will undoubtedly go down in history as the ‘Data Blunder Years’. As the time when our wholly information-based society was critically undermined by our apparent inability - in both private and public sectors - to safeguard any of the information that comprises the lifeblood of that society.
Take a look at the underlying causes of virually any of these major breaches and you'll find the same systemic failures: lack of a clear policy; lack of awareness to promulgate any policy that did exist; lack of accountability; lack of adequate supervision, etc etc - all essentially 'people' and management issues - not purely technical ones. Just read the Poynter review or any of the other aftermath follow-ups from major publicised breaches and you will see similar shortcomings unearthed.
Clearly the technical controls need to exist as well, particularly when protecting information in transit and storage.
But remember; encrypted and locked-away information has no value. Its value is only evident at the point where it is used to extract business benefit - and clearly you cannot 'use' encrypted data. And who does the 'using' of any unencrypted data: well our people of course! (Oh, and by the way, we're in an economic recession, laying off boatloads of staff and undergoing unpopular forced mergers - so the motivation and opportunities for people to misbehave have never been greater).
Bottom line is that we need technical security working in tandem with people security and process security to keep things secure. Like the photographer's tripod: take away any one of these crucial three pillars and your Nikon is knackered, so to speak.
Bests
Adrian Wright
Posted by Adrian Wright | April 1, 2009 11:58 AM
Posted on April 1, 2009 11:58