Richard Stiennon says:
So, yes, there is good security awareness training. But I do not include teaching Bobby in reception how to avoid being taken in by Kevin Mitnick. It is futile and silly to expect your average employee to become paranoid enough to ward off social engineering attacks. Rather than invest in posters in the elevators exhorting people to stop strangers in the hallway, you should be investing in better security technology.
I do not agree. Read the whole article and then come back here. I'll wait.
I've been reading Michael J. Santarcangelo, II's book Into the Breach. I was lucky enough to get a preview copy. I will be posting in more depth what I think of this wonderful book, but I do want to offer the following from the introduction:
We face a human problem where people are the the problem. The problem is that people have been unintentionally, but systematically, disconnected from the consequences of their decisions. As a direct result, they do not take responsibility and are not held accountable.
I agree that technical controls are important and should be implemented where appropriate. However, I disagree that providing awareness training to our people is a waste of time and resources. It can probably be done better, but it still needs to be done. How can we, as information security professionals, expect our users to treat information with due care if they are not aware of the importance of that information and the appropriate way in which to handle it? I submit that we cannot. We must, therefore, help them understand both the nature of the information they deal with on a daily basis and the way to handle that information that ensures that it is kept secure.
That's where I stand. I am really interested in your thoughts. What do you think about technical controls vs. awareness?
Technorati Tags: information security awareness