Debate: Security training is effective in preventing workers from clicking on malicious links and attachments.

Share this article:
In this month's debate, two experts discuss whether security training is an effective strategy in the workplace.

PRO

Stu Sjouwerman, CEO, KnowBe4 

Money spent on security awareness training is not better spent on training developers to write secure code. Some argue that security awareness training is the whipping boy to illustrate how the computer industry has failed to design insecure systems. Perhaps those making that argument have forgotten that the internet really still is in beta. Vint Cerf recently admitted as such with his remark: “We never got to production code.”

In such an environment, you do want to educate your end-users and provide them with the knowledge and skills to spot social engineering red flags, and not click on suspicious links or to open infected attachments. Our training never fails to show a dramatic reduction in what we have called an organization's “phish-prone” percentage. The stats show the effectiveness: Up to 80 percent less clicks on simulated phishing attacks. These days security awareness training is a must.

That said, it's but an essential piece of the whole defense-in-depth puzzle organizations need to have in place. 

CON

Dave Aitel, CEO, Immunity 

Security awareness training is one of the most overrated – and dangerous – aspects of security planning that any organization can use. The premise is a simple one: Employees are targeted in phishing schemes, so let's teach them how to not get owned. But the problem is that no matter how much training an organization provides employees, the worker is still going to screw up.

Employees weren't hired to handle your company's security – and they shouldn't be expected to. By placing an emphasis on employee training, you're giving yourself the false assurance that this is somehow making the company safer. It isn't. Even trained employees stand no chance against a modern attacker who customizes his phishing attack against that individual. Security awareness simply cannot address this threat.

It's the CISO's job to make sure that technical controls are in place to mitigate these threats. The reality is: An employee should be able to click on any link, open any attachment and go about their jobs as they see fit, and not expose the company to a serious breach.


Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in Debate

Debate: Password managers are secure enough for enterprise users.

Chris Weber, co-founder, Casaba Security, and Geoffrey Vaughan, security consultant, Security Compass, go head to head on the use of password managers in the enterprise.

Debate: Data in the cloud is more secure than on premises.

Experts debate whether data in the cloud is more secure than data that's housed on an organization's premises.

Debate: DDoS is becoming a more serious threat to enterprises.

While distributed denial-of-service attacks continue to plague organizations around the world, in this month's debate experts discuss whether they should be a top of mind concern for security pros.