Decision Maker

Whither Security Training: When Education Trumps Technology

Your users might just be smart enough to handle security issues correctly -- with the right training.

• By Don Jones
• 08/01/2012

There's always a limit to technology. At some point you simply have to ask users not to figuratively stick their fingers in power outlets.

And yet asking is one action most IT professionals never consider. I sometimes believe that the promised safety nets baked into most IT security technologies are the root cause of this behavior. You've read the glossies: "Implement our product and you'll protect your stupid users from themselves. We guarantee it!"

Walk around the expo hall at any major conference and you'll find an entire ecosystem of advanced technologies, all intending to legislate redirecting those proverbial fingers toward safer locations. These days you can lock out Web traffic, approve application execution and sidestep unhealthy laptops into remediation networks. Heck, a few solutions even exist for monitoring, recording and tattling on every user activity. Big Brother would be proud.

All of these technologies have me wondering about the somewhat self-serving nature of the security product industry, not to mention the implicit blame game they peddle. Their posit: Your users are incapable of making the right decisions. The boogeyman exists. Protecting your network requires technological hand-holding. Buy our product. If you don't and something happens -- well, then it's your fault.

Teaching Users to Fish
All this makes me yearn for the tactics we used earlier, when times were simpler. Back then security products were less sophisticated, as were the attacks they intended to thwart. In those days, one of my smarter ideas was developing and delivering a regular education program on IT security. Every employee was required to attend some number of hours a year, with events held at regular intervals to ensure the concepts stayed fresh.

The education was simple: "Here are the kinds of attacks we've seen recently. Here are examples of things to do and not to do. When you see the following behaviors on your computer, don't try to do anything. Stop what you're doing and call us. Anything else, you can handle on your own, and here's how."

Simple stuff, but the result was immediate and measurable. The volume of help desk tickets went down. The relationship between IT and users improved. The simple act of teaching these users to fish empowered them with a personal stake in the game. Security issues became shared responsibilities.

Shame is a powerful motivator, and a little personal accountability quickly found itself extending into non-security issues as well. People actually began solving many of their own problems.

Security as Job No. 2
There's this saying my business partner and fellow Redmond columnist Greg Shields uses all the time, even though he knows it gets routinely misinterpreted. He says, "We need to stop thinking about security ... first."

You can probably imagine which heads in the room explode when they hear those words, but his point rings truer than you'd think. He continues, "In a world of ubiquitous Internet access and cloud services of all types, every security control you lay into place just moves more users onto Dropbox -- or any of the other online alternatives. Instead of prioritizing security first, we need to prioritize experience."

Believe in that new reality and you'll quickly realize you've got a choice. You can either attempt to shut down all the alternatives, or you can evolve your security mindset to meet today's workplace. A surprising number of IT pros still choose the former, even as users get more technologically savvy and organizations become less hierarchical in nature.

The smarter IT pros have gotten over themselves. They're using education as another way to involve users in that shared sense of corporate responsibility.