Report Card: Incite #11 - Stupidity School

Submitted by Mike Rothman on Thu, 2006-12-28 08:37.
::

Though distasteful, security professionals will be forced to undertake a structured and comprehensive education program to stop employees from doing stupid things. Given the sophistication of attacks and the difficulty in stopping them at the perimeter, educated personnel may be the only defense.

Grade: B-

Original Days of Incite post: here
Incite Redux post: here

You ready for the good news or the bad news? The good news is that I’m getting far less pushback during conversations about security awareness training. Lots of CSOs remain skeptical because their results with training in the past have been let’s say “underwhelming.” But the message to keep fighting the good fight is starting to resonate.

Tools to test client side social engineering attacks (like Core’s IMPACT pen testing product) are showing just how acute the problem is, and the fact is the only way to solve this problem is to teach your users to not do stupid things.

The bad news turns out to be a significant impediment to security awareness training, and that is the sheer amount of crap already on the typical CSO’s plate. It seems training initiatives ALWAYS end up at the bottom of the list. Why? CSOs are not trainers and they don’t have time to build a curriculum to teach their users the right thing.

So they need help and unfortunately there has been a scant few options to drive an awareness program for users.

But help should be on the way. One of the most interesting announcements I saw all year was Symantec’s awareness training service (here). I haven’t tooled around in the interface yet (hint, hint), so I don’t know whether it will get the job done or not, or if anyone will buy awareness training from Symantec. But this is a sorely needed service and personally I hope Symantec has great success with it. Not because I want the Big Yellow to continue stuffing their pockets, but because their success will drive other Big Security lemmings to follow with their own offerings.

So I’m still fixated on security awareness training and I’m not ready to give up the ghost yet. It feels a bit like the tide turned late in 2006, but we’ll see.