Security Awareness and Life in the Real World

The line usually goes something like this: “Users should be allowed to do whatever they need to do for their jobs, and it’s IT’s job to create an environment with technical controls in place to protect them.” Or like this: “Training is mostly a waste of time. Users aren’t information security experts and shouldn’t be expected to keep ahead of potential threats.”
They then typically go on to say that awareness training detracts from “bigger industry issues such as failures in software design and lack of technical controls.”
Well, okay. There’s the world we all want to live in, and then there’s the world we actually live in. The smart money is on those who choose to live in the real world. And part of that reality is the fact that untrained—and consequently unaware—employees cause more security problems than any technology can ever hope to solve.
We have no problem with technology. In fact, we’d love to see more of it. And certainly, no one is keeping the technology solution providers from delivering better security products. But until technology can adequately address and secure every endpoint, the many remaining gaps need to be covered. And because people are involved, we all know that those gaps will never be bridged by technology alone. That’s a pipe dream. And it’s why the comments of people like Dave Aitel, one of the more vocal critics of awareness training, are so misguided when they advocate adopting the “cheapest and least painful” options for training, and applying the savings to technical controls. That’s just stupid.
Security budgets must balance people, processes, and technologies in appropriate measures. Technology alone leaves unprotected the operators who now actually constitute the bulk of the attack surface, both as to probability and potential consequences. Dr. Larry Ponemon, based on his deep studies of thousands of organizations, concludes, “For most organization’s Step One tends to be technology rather than people, which is a mistake. Organizations should first get their people squared away, and then start making investments in technology. But we’re constantly fighting the mantra of ‘better security through better technology.’ They believe that if we have the best tools, we can nip this in the bud. It doesn’t work that way.”
That’s because in theory, there’s no difference between practice and theory—in practice, there is. We have to operate with eyes wide open in the real world. Arguments to the counter simply defy sense—and end up costing millions of dollars.
It’s like the perennial rant that insists “passwords are dead!” No question, the password system is deeply flawed. But until such time as it is fixed—if it ever gets fixed—we’re stuck with passwords. That’s the reality. Doesn’t it make sense, then, that users should know how to choose passwords that are more secure and learn how to protect them?
Another angle the naysayers resort to is to claim that security awareness can’t provide 100% protection. Of course it can’t! And neither can technology. But when taken together, technology and awareness work hand in hand to dramatically reduce the risk profile.
All countermeasures have points of failure. Does that mean you toss them out? Of course not! Security awareness—just like all security technologies—is about reducing risk, not completely eliminating it.
That said, awareness training actually contributes far more to reducing risk than you might imagine. Take, for example, the recent report from PWC: US Cybercrime: Rising Risks, Reduced Readiness—Key Findings from the 2014 US State of Cybercrime Survey. It’s worth quoting the passage of interest in full:
“The merit of awareness programs is quite clear: 42% of respondents said security education and awareness for new employees played a role in deterring a potential criminal, among the highest of all policies and technologies used for deterrence.“
The financial value of employee awareness is even more compelling. Organizations that do not have security awareness programs—in particular, training for new employees—report significantly higher average financial losses from cybersecurity incidents. Companies without security training for new hires reported average annual financial losses of $683,000, while those do have training said their average financial losses totaled $162,000.”
(For more on the ROI of security awareness, check out the whitepaper, Making the Business Case for Security Awareness.)
Now, certainly none of the foregoing suggests that all awareness training products are the same. In fact, a great many security awareness initiatives fail. Consequently, the quality of the training matters a great deal. As does its design and architecture. Fortunately, sorting out the good from the bad is now a lot easier with Gartner’s Magic Quadrant for Security Awareness Training, which placed MediaPro in the strongest position relative to all other training vendors. Also, the eBook, 3 Steps to Awareness Success, provides a comprehensive blueprint for an effective security awareness program, as well as tools you can use to determine the best possible solution for your organization.
Still have doubts about the role of security awareness training in your overall information security mix? Please get in touch with us—we would welcome the opportunity to hear about them.

Share this Post