No Infosec Sacred Cows

Thursday, August 02, 2012

Dave Shackleford


We have sacred cows in infosec, apparently. I read a blog post by Dave Aitel about security awareness recently that I really enjoyed – he took a very bold stance on a topic that everyone seems to have an opinion about.

His argument? Security awareness is useless. Ditch it, and spend your time and money on technologies and techniques that actually control what users can do and what can happen to them.

Is he exactly right? No, probably not. But he took a stance, and got some thought-provoking dialogue going. What was incredibly disconcerting to me, however, was the vitriol people started spewing in the comments – how DARE he propose such a thing?!

I tried commenting on the post but I think CSO flagged it and didn’t let me, and I was probably being a bit acidic in my comment, as well, but for different reasons. So a few things shook out, in essence here’s what I was trying to say:

  • People, don’t be LEMMINGS. I saw a lot of people who were puffing out their chests as “leaders” in the infosec space spewing garbage about “people, process, technology” like they were attached to Shon Harris’ rear-end after having a love fest with her CISSP study guide. C’mon, just because it’s one of the “10 domains” doesn’t mean you have to evangelize.
  • Most security awareness programs SUCK. I would be willing to bet the majority of the awareness proselytizers on the thread are doing the same old crap with some stupid Web-based Flash thingie that people click through as fast as they can, and a little printout goes in their HR folder of whatever. UGH. That doesn’t work, never has, and never will.
  • Given that most programs suck, what is wrong with a contrarian view? Start a conversation on new methods of security awareness and protection, but don’t demonize Dave (who has likely seen more overall than most posters) for having the balls to suggest that something BLATANTLY NOT WORKING for most should be canned.

I generally think security awareness is ridiculous. Sure, sure, you need that compliance checkbox that asks for it. And OK, you have to TRY, I get that, too.

But sometimes, we seem to cling desperately to ancient ideals and practices in this field that just might have run their course. I’m not ready to say security awareness is one of them… yet. But we can and should try to improve it, across the board, or find something else to do instead.

Cross-posted from ShackF00

Possibly Related Articles:
Security Awareness
Information Security
Enterprise Security Security Awareness Best Practices Training Employees Infosec Policies and Procedures Dave Aitel
Post Rating I Like this!
CP Constantine I think it's fair to say that Security Awareness programs, like all other controls, experience the same diminishing-returns problem. You should be able to deploy a fairly minimal awareness program to some effectiveness, with a limited amount of time and effort cast at it. Focusing on it to where it becomes a significant cost center is likely just as ridiculous. Things will always slip by, the idea is just to minimize that surface to a trackable level.

But yes, the current implementations of security awareness programs seem, to me at least, to be authored by the very same people that /don't get infosec/ in the first place.

Baby, bathwater, etc etc.
Kathleen Jungck I agree, we need to do a better job on "Awareness" programs, and how they are delivered. We now have access to alot of E-learning development tools, social communications tools, and other richer media that could move Security Awareness towards Cyber Security Literacy.

If BYOD results in similar paradigm shifts as the interactive terminal and personal computer, we're going to need it!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.