September 01, 2011
Debate

Debate: Security awareness training is a worthwhile investment.

FOR

Andy Willingham, information security officer for a financial services company

User awareness training is vital to any successful information security program. Many security events are the result of people doing something that they shouldn't have done. Clicking on a malicious link, for example, or sending confidential information via unsecured email can put organizations at risk. A simple mistake can invalidate much of the security defenses that a company has implemented. Most of the time, such incidents occur because people are simply not aware or don't understand that their actions can affect computer security. Let's face it: Policies and technology cannot stand up to a user who really wants to see that funny video, work from home or use technologies that make their job easier. Good awareness training can, however, overcome these issues. Such programs should help people understand why they need to act securely. Also, awareness training programs should be engaging so users ultimately retain this valuable information. Users who understand that their actions matter will think twice before taking a risky action.

Against

Amrit Williams, CSO, Quantivo

Security awareness training is simply not a worthwhile investment to protect corporate resources. Advanced and targeted attacks committed by dedicated interlopers or internal miscreants are far too sophisticated for the general public to defend against. It is popular to believe that we can build a knowledgeable, hypervigilant Jason Bourne-like cyber army, but that would require lots of knowledge, cooperation and adherence to rules.

Unfortunately, most of us – and I am looking directly at you, dear reader – have a Nietzschean Übermensch complex. We believe that rules and laws are good and should be adhered to by the general population, but that we are above them. We know better. We can run with scissors. We are the exception to the rule. In reality, we are not. Security awareness training is a worthwhile investment when one needs to inform their employee population of corporate policies, especially if violations of policy can lead to employment termination or criminal prosecution. For everything else, visibility and control are needed.

From the September 2011 Issue of SCMagazine »
Similar Articles
Related Topics
close

Next Article in Features

Sign up to our newsletters

More in Features

Suspect everything: Advanced threats in the network

Suspect everything: Advanced threats in the network

Are there ways to catch sophisticated malware that hides in trusted processes and services? Deb Radcliff finds out.

Urgent care: Safeguarding data at health care providers

Urgent care: Safeguarding data at health care providers

Health providers have pressing reasons to now embrace security, says INTEGRIS Health's John Delano. Karen Epper Hoffman reports.

Deciphering cloud strategy

Deciphering cloud strategy

There are steps security pros can take to achieve greater peace of mind with cloud implementations, reports Alan Earls.