There are two rules in information security. 1) Never assume, alway check 2) Just because you are right today doesn’t necessarily mean that you will still be right tomorrow. Actually there are many more rules including this one that I just made up. There will always be some wise old sage ready to impart words of wisdom that will make you question your own competence. Such an old sage is Peter Tippet who is quoted in an article that, over the course of the last few days, seems to have been re-quoted just about everywhere. Except on this blog which means I’m either out of touch or have had better things to do.
The article in question is this one here but I don’t know why it’s caused so much comment because it says nothing we don’t already all know and I’ve been sold on the value of default deny and security awareness programs for many a year.
One particular blog here quotes: Security awareness training for end users is a complete waste of time and money. Save your money for real security solutions that solve real deficiencies in your defenses. I’m sorry but you are wrong. I could throw all sorts of statistics to tell you why and quote umpteen other individuals to support my arguement but life’s too short.
What I will say is that you have to always take a risk based approach. Consider controls in terms of the amount of residual risk that remains once the control is implemented. Not an easy concept to always get your head around. If you think that any technical control will mitigate 100% of the risk (therefore leaving no residual risk) then you need to wake up and take off the rose tinted specs. Security awareness mitigates risk, but not all of it. A combination of technical – hard – controls together with people based – soft – controls mitigates an even greater amount of risk leaving less residual. You’ll still have some risk remaining to contend with and it’s up to you to consider whether you’ve mitigtated enough.
There’s no magic formula for calculating this either because every business environment is different and some controls will work better in one place than in another.
The individual quoted above (who incidentally goes on to say “I would rather spend $100K on an authentication program that does not require user defined passwords than $10,000 every year for ever trying to get my users to stop using “Pistons”, “Patriots”, or “Redwings” as their passwords. “) is Richard Stiennon, Chief Marketing Officer of Fortinet. So one can see why he would prefer to preach the value of technical solutions 🙂