Last month (27 March), the security and cryptography expert Bruce Schneier posted an article on his blog about Security Awareness Training. Now, it should go without saying that Bruce Schneier is one of the leading lights in the IT Security world, he has written several very informative books which would always top our suggestions for recommended reading lists and, most of the time, what he says about security is completely spot on.
However, this time it seems he has made a significant mistake and it is largely driven by his focus on the IT part of information security.
In the article, Bruce writes:
I personally believe that training users in security is generally a waste of time, and that the money can be spent better elsewhere. Moreover, I believe that our industry’s focus on training serves to obscure greater failings in security design.
The two statements here aren’t really as linked as Bruce makes out.
It is almost certainly true that a lot of security training is worthless and driven simply by external compliance requirements and it is true that focus on training can be used to avoid having to implement good security practices, but once we move away from a very narrow sphere of security, for all practical purposes this breaks down.
The result of this is that security awareness training is currently one of the most cost effective methods of improving your security.
It should always be the primary goal of any security implementation to ensure that security exists even if the end user is clueless, but unfortunately user activity is almost always required to support and supplement the built in security controls and this is where security awareness training becomes paramount.
Bruce address his main concerns to those who think security awareness training is good (which is why it seems appropriate to address it in a post here), saying: [Emphasis added]
To those who think that training users in security is a good idea, I want to ask: “Have you ever met an actual user?” They’re not experts, and we can’t expect them to become experts. The threats change constantly, the likelihood of failure is low, and there is enough complexity that it’s hard for people to understand how to connect their behavior to eventual outcomes. So they turn to folk remedies that, while simple, don’t really address the threats.
The problem seems to be less driven by the value of “security awareness training” but more by what Bruce expects the outcome of this training to be.
No one in their right mind expects a security awareness training program to turn people into security experts. No one. This is a strawman which undermines what the real value of security awareness training actually is – and that is employees who are more alert about security risks and more able to help you protect your business, its assets and themselves from a variety of threats.
Security awareness training does not replace the need to have a competent, skilled, motivated and professional security team. It does not remove the need to have properly implemented security controls. It doesn’t mean you can blame your employees for every breach. It doesn’t even mean that you can sit back and assume you will never experience a security breach.
Security awareness training does mean, however, that you have taken the proper steps to help ensure your employees are part of your overall security posture.
Security is about much more than protecting IT assets, it is about much more than ensuring your employees don’t click on dodgy facebook links and it is about much more than making sure they aren’t careless with their account credentials.
If your awareness program only looks at this, or if your awareness program is trying to create IT Security experts in one session a year, then you are getting it wrong. You are missing a major point with how to best use the time and how to best engage your employees into your security process.
Good Security Awareness Training
Your security awareness training needs to be driving three main themes to your employees:
- Why security is important to your business. You need to make your employees understand their responsibilities and how their actions are important to the bottom line (their jobs).
- How security is implemented in your business. What alarms do you have? What are the rules for lone workers? Where are phones allowed? Are employee owned devices allowed etc. This is the meat of the training and is how you make your employees aware of the security around them. (It is awareness training after all)
- What do your employees have to do. Once they know the why and how, it is time to explain to your employees what is expected of them when they are going about their business: How do they summon help? How do they report a breach? What is the process for locking the office at night? How do they get access outside normal working hours? and so on.
None of this will turn them into experts, but equally it is far from a waste of your resources. Failing to provide security training means – in the current world at least – that you will spend more on security controls and / or suffer more security breaches.
Security training – do’s and don’t’s
As Bruce Schneier says, it would be great if we could engineer out the need for your employees to play a part but the reality is that the spectrum of security risks is so wide, so complicated and so changeable, that this is unlikely to ever happen.
Don’t fixate on the computer user part of your security, don’t believe that security awareness training is wasted but also don’t think of it as a magic bullet.
Do provide good quality, appropriate and effective security awareness training for your employees.