My security department is not wasting its time

There are two rules in information security. 1) Never assume, alway check 2) Just because you are right today doesn’t necessarily mean that you will still be right tomorrow. Actually there are many more rules including this one that I just made up. There will always be some wise old sage ready to impart words of wisdom that will make you question your own competence. Such an old sage is Peter Tippet who is quoted in an article that, over the course of the last few days, seems to have been re-quoted just about everywhere. Except on this blog which means I’m either out of touch or have had better things to do.

The article in question is this one here but I don’t know why it’s caused so much comment because it says nothing we don’t already all know and I’ve been sold on the value of default deny and security awareness programs for many a year.

One particular blog here quotes: Security awareness training for end users is a complete waste of time and money. Save your money for real security solutions that solve real deficiencies in your defenses. I’m sorry but you are wrong. I could throw all sorts of statistics to tell you why and quote umpteen other individuals to support my arguement but life’s too short.

What I will say is that you have to always take a risk based approach. Consider controls in terms of the amount of residual risk that remains once the control is implemented. Not an easy concept to always get your head around. If you think that any technical control will mitigate 100% of the risk (therefore leaving no residual risk) then you need to wake up and take off the rose tinted specs. Security awareness mitigates risk, but not all of it. A combination of technical – hard – controls together with people based – soft – controls mitigates an even greater amount of risk leaving less residual. You’ll still have some risk remaining to contend with and it’s up to you to consider whether you’ve mitigtated enough.

There’s no magic formula for calculating this either because every business environment is different and some controls will work better in one place than in another.

The individual quoted above (who incidentally goes on to say “I would rather spend $100K on an authentication program that does not require user defined passwords than $10,000 every year for ever trying to get my users to stop using “Pistons”, “Patriots”, or “Redwings” as their passwords. “) is Richard Stiennon, Chief Marketing Officer of Fortinet. So one can see why he would prefer to preach the value of technical solutions 🙂

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Nice try. I have never been an advocate of security awareness training. I have always advocated technical solutions. I am no longer CMO at Fortinet. Independent once again! No more branding me with the marketing/vendor label. I realize there are plenty of people who think training is the answer. I just happen to be a realist. Training is a waste of money. Just fix the root cause and let users go on being naive and uncontrollable. They are.
Users are not naive, uncontrollable or stupid. I've come to the point where I'm feeling rather sorry for the end user actually. Given the level of sophistication of current attacks it's no wonder that even the best end users are getting caught out. And let's not forget, that it's the end users that are generating the revenues and profits, and if you're an 'overhead', I'd actually start respecting them.
Not sure where Stiennon's been, but users are the root cause, and education, training, & awareness is the best way to fix it. Technology only takes us so far, and in the end you're still left with people on the inside being resourceful to defeat roadblocks to whatever it is that they're trying to accomplish (good or bad). True, ET&A isn't the end-all-be-all to security, but it's an essential piece. To (over)simplify and eliminate it, or focus only on it, would be an injustice to what is an extremely complex industry.
I think you need to go both ways - train your stuff to respect security risks and invest in improving your internal security structure. All together could give good results.