Decision Maker

Whither Security Training: When Education Trumps Technology

Your users might just be smart enough to handle security issues correctly -- with the right training.

There's always a limit to technology. At some point you simply have to ask users not to figuratively stick their fingers in power outlets.

And yet asking is one action most IT professionals never consider. I sometimes believe that the promised safety nets baked into most IT security technologies are the root cause of this behavior. You've read the glossies: "Implement our product and you'll protect your stupid users from themselves. We guarantee it!"

Walk around the expo hall at any major conference and you'll find an entire ecosystem of advanced technologies, all intending to legislate redirecting those proverbial fingers toward safer locations. These days you can lock out Web traffic, approve application execution and sidestep unhealthy laptops into remediation networks. Heck, a few solutions even exist for monitoring, recording and tattling on every user activity. Big Brother would be proud.

All of these technologies have me wondering about the somewhat self-serving nature of the security product industry, not to mention the implicit blame game they peddle. Their posit: Your users are incapable of making the right decisions. The boogeyman exists. Protecting your network requires technological hand-holding. Buy our product. If you don't and something happens -- well, then it's your fault.

Teaching Users to Fish
All this makes me yearn for the tactics we used earlier, when times were simpler. Back then security products were less sophisticated, as were the attacks they intended to thwart. In those days, one of my smarter ideas was developing and delivering a regular education program on IT security. Every employee was required to attend some number of hours a year, with events held at regular intervals to ensure the concepts stayed fresh.

The education was simple: "Here are the kinds of attacks we've seen recently. Here are examples of things to do and not to do. When you see the following behaviors on your computer, don't try to do anything. Stop what you're doing and call us. Anything else, you can handle on your own, and here's how."

Simple stuff, but the result was immediate and measurable. The volume of help desk tickets went down. The relationship between IT and users improved. The simple act of teaching these users to fish empowered them with a personal stake in the game. Security issues became shared responsibilities.

Shame is a powerful motivator, and a little personal accountability quickly found itself extending into non-security issues as well. People actually began solving many of their own problems.

Security as Job No. 2
There's this saying my business partner and fellow Redmond columnist Greg Shields uses all the time, even though he knows it gets routinely misinterpreted. He says, "We need to stop thinking about security ... first."

You can probably imagine which heads in the room explode when they hear those words, but his point rings truer than you'd think. He continues, "In a world of ubiquitous Internet access and cloud services of all types, every security control you lay into place just moves more users onto Dropbox -- or any of the other online alternatives. Instead of prioritizing security first, we need to prioritize experience."

Believe in that new reality and you'll quickly realize you've got a choice. You can either attempt to shut down all the alternatives, or you can evolve your security mindset to meet today's workplace. A surprising number of IT pros still choose the former, even as users get more technologically savvy and organizations become less hierarchical in nature.

The smarter IT pros have gotten over themselves. They're using education as another way to involve users in that shared sense of corporate responsibility.

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author Evangelist for video training company Pluralsight. He’s the President of, and specializes in the Microsoft business technology platform. Follow Don on Twitter at @ConcentratedDon.


  • Azure DevOps Server 2019 Now at Release Candidate 2

    Microsoft released Azure DevOps Server 2019 Release Candidate 2 (RC2), according to a Tuesday announcement.

  • Cloud IT Infrastructure Spending Starting To Take the Lead

    IDC this month published findings on revenues from cloud IT infrastructure spending in the third quarter of 2018, based on server, storage and Ethernet switch sales.

  • How To Run Oculus Rift Apps in Windows Mixed Reality, Part 1

    A lack of apps has been the biggest thorn in the side of Microsoft's mixed reality efforts. One way to get around it is to use apps that were designed for Oculus Rift instead.

  • Windows 10 Mobile To Fall Out of Support in December

    Microsoft will end support for the Windows 10 Mobile operating system on Dec. 10, 2019, according to an announcement.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.