There’s a spirited debate going on about the value of training employees for security awareness. It started in May 2012 with Joe Ferrara’s article for CSO magazine, Ten commandments for effective security training. Ferrara is president and CEO of Wombat Security Technologies, a vendor of security training materials. Ferrara’s article assumes that companies are going to deliver security awareness training to their employees and he provides advice on how to make sure the training is worthwhile.
Every company should provide security awareness training for its workers, right? Well, it turns out that not everyone sees the sense in that.
Presenting a counterpoint with his own article in CSO magazine, Why you shouldn’t train employees for security awareness, is Dave Aitel, CSO of the security consulting firm Immunity. Aitel argues that the resources spent on trying to teach employees to be secure would be better spent on technologies to secure the environment and segmenting the network. According to Aitel: “A user has no responsibility over the network, and they don’t have the ability to recognize or protect against modern information security threats any more than a teller can protect a bank.”
I’m not the first person to add my opinion to this debate; the blogosphere is lit up with comments. Judging by the responses I’ve read, Aitel certainly hit a nerve but he has few supporters who agree with his viewpoint. As for me seeing eye to eye with Aitel, I’ll use the immortal words of HAL 9000: “I’m sorry, Dave. I’m afraid I can’t do that.”
Aitel writes that it’s hard to find broad statistical evidence that supports his point of view. (Maybe it doesn’t exist?) On the other hand, there is plenty of statistical evidence of the value of security awareness training. For example, in PwC’s latest breach report published in April 2012, the global consulting firm analyzed the results of a survey conducted by InfoSecurity Europe. According to this survey:
PwC also concludes that most serious breaches result from failings in a combination of people, process and technology, and it’s important to invest in all three aspects.
Aitel takes the position that a user has no responsibility over the network. He basically says it is totally IT’s job to deploy technology in an effective way to prevent any and all sorts of successful attacks. That’s just not practical, on so many levels. First, an environment that is hardened to that degree will stifle the business, which happens to be the very reason for the network’s existence. Next, it would be cost-prohibitive to build the network equivalent of Fort Knox. Most companies spend less than 10% of their total IT budget on security, and there’s rarely funding available to build and maintain the type of environment Aitel proposes. And third, technology isn’t foolproof. An end user that posts his user name and password on a sticky note above his PC opens the door to an intruder that might never be detected by security systems as doing anything wrong until it’s too late.
Even if we agree with Aitel that IT owns the network, it’s also true that IT doesn’t own the business data used on the network. The data is owned by the business units — in other words, the very people that Aitel says we needn’t train. However, if these people own the data, they need to understand the risks to their data and what they can do to protect it. This is what security awareness training is all about.
At the end of the day, it’s all about risk. If you can do something to reduce your organizational risk and it is reasonably priced, you would do it, wouldn’t you? Forget about whether it is technology, training, or services. It shouldn’t matter what it is—if it works, it works. We need to use all of our capabilities to reduce risk and avoid cyber security attacks. Nothing should be off the table, and that includes awareness training.