Decision Maker

Whither Security Training: When Education Trumps Technology

Your users might just be smart enough to handle security issues correctly -- with the right training.

There's always a limit to technology. At some point you simply have to ask users not to figuratively stick their fingers in power outlets.

And yet asking is one action most IT professionals never consider. I sometimes believe that the promised safety nets baked into most IT security technologies are the root cause of this behavior. You've read the glossies: "Implement our product and you'll protect your stupid users from themselves. We guarantee it!"

Walk around the expo hall at any major conference and you'll find an entire ecosystem of advanced technologies, all intending to legislate redirecting those proverbial fingers toward safer locations. These days you can lock out Web traffic, approve application execution and sidestep unhealthy laptops into remediation networks. Heck, a few solutions even exist for monitoring, recording and tattling on every user activity. Big Brother would be proud.

All of these technologies have me wondering about the somewhat self-serving nature of the security product industry, not to mention the implicit blame game they peddle. Their posit: Your users are incapable of making the right decisions. The boogeyman exists. Protecting your network requires technological hand-holding. Buy our product. If you don't and something happens -- well, then it's your fault.

Teaching Users to Fish
All this makes me yearn for the tactics we used earlier, when times were simpler. Back then security products were less sophisticated, as were the attacks they intended to thwart. In those days, one of my smarter ideas was developing and delivering a regular education program on IT security. Every employee was required to attend some number of hours a year, with events held at regular intervals to ensure the concepts stayed fresh.

The education was simple: "Here are the kinds of attacks we've seen recently. Here are examples of things to do and not to do. When you see the following behaviors on your computer, don't try to do anything. Stop what you're doing and call us. Anything else, you can handle on your own, and here's how."

Simple stuff, but the result was immediate and measurable. The volume of help desk tickets went down. The relationship between IT and users improved. The simple act of teaching these users to fish empowered them with a personal stake in the game. Security issues became shared responsibilities.

Shame is a powerful motivator, and a little personal accountability quickly found itself extending into non-security issues as well. People actually began solving many of their own problems.

Security as Job No. 2
There's this saying my business partner and fellow Redmond columnist Greg Shields uses all the time, even though he knows it gets routinely misinterpreted. He says, "We need to stop thinking about security ... first."

You can probably imagine which heads in the room explode when they hear those words, but his point rings truer than you'd think. He continues, "In a world of ubiquitous Internet access and cloud services of all types, every security control you lay into place just moves more users onto Dropbox -- or any of the other online alternatives. Instead of prioritizing security first, we need to prioritize experience."

Believe in that new reality and you'll quickly realize you've got a choice. You can either attempt to shut down all the alternatives, or you can evolve your security mindset to meet today's workplace. A surprising number of IT pros still choose the former, even as users get more technologically savvy and organizations become less hierarchical in nature.

The smarter IT pros have gotten over themselves. They're using education as another way to involve users in that shared sense of corporate responsibility.

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author Evangelist for video training company Pluralsight. He’s the President of, and specializes in the Microsoft business technology platform. Follow Don on Twitter at @ConcentratedDon.


  • Azure Cost Management Now Commercially Available for Some Tenancies

    Microsoft on Monday announced that its Azure Cost Management feature had reached the "general availability" release stage for both Azure "pay-as-you-go" customers and Azure Government tenancies.

  • Microsoft Bringing Files Restore Capability to SharePoint Online and Teams

    Microsoft on Monday announced that it's delivering its Files Restore feature for SharePoint Online and Microsoft Teams to Office 365 tenancies as early as this month.

  • Microsoft Nabs IoT Platform Provider Express Logic

    As part of its plan to invest $5 billion in IoT technologies, Microsoft this week acquired Express Logic, which provides real-time operating systems for industrial embedded and IoT devices.

  • Dealing with Broken Dependencies in SCVMM

    Brien shows you how to resolve some broken, template-related dependencies in Microsoft's System Center Virtual Machine Manager.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.