Thanks to Mike Rothman at Securosis making the case for security awareness training. Mike and the rest of the Securosis gang have a great perspective on the state of information security and threats. I’ve always appreciated their pragmatic advice, and how they regularly promote ways to enhance your security program through process improvement rather than just throwing more technology at the problem.
Mike talks about a rebirth of security awareness training, which definitely is gaining more respect in the industry. His concluding sentiment is perhaps the most powerful:
Get on board with security awareness training. Or keep cleaning up the mess.
The other week at RSA there was a debate on whether or not awareness training was worth doing at all. The panel was overwhelmingly not for awareness training, but the audience was! (Note to RSA: Get some awareness professionals for your next pannel). The majority of the audience confirmed that their awareness programs were meaningful and provided benefit.
I feel the industry is starting to learn that security awareness shouldn’t be limited to a once-a-year presentation that is done solely to meet an audit requirement. Those programs are only effective in keeping an auditor happy. Today’s security awareness professionals are taking a risk-based approach and developing creative techniques to get the right information, the right people, at the right time — which is challenging but effective in reducing risks to the human element.
Phishing is doing a lot to raise the need to address employees as part of your overall defense strategy. Something most infosec engineers would rather not have to do — but can no longer deny.