Friday, April 25, 2008

Awareness training is not enough

Article on Secure Computing website by Paul Fisher 11 April 2008. An interview with Brat Hartman, Chief Technical Officer at RSA.

Hartman is asked about preventing human error where data security is concerned. "Less and less information is actually under the control of central IT these days. Information is created everywhere, it's out on everybody's laptops, it's outsourced, it's developed all over the world" He believes that having the right technologies in place to maintain that control is only the solution and that training, whilst crucial, is of limited value.

Everybody goes for training is told about the company security policy, read it and then ignore it, happily sending out data on USB sticks and web-based email, because they are under pressure to get things done and achieve results.

"The world is too complicated and, frankly, it's too difficult to be able to follow those policies under strain. I'm a believer that the right technologies have to be in place to be able to control and enforce that."

To him then, no matter how much training people have or how often you remind them of the importance of security, they will go on making mistakes. Security is typically down the list in terms of priorities. Most people view barriers as an impediment.

A nice turn of phrase: clever people doing stupid things - it could be the title of a self-help book for information security professionals. Hartman believes that all the technology needed already exists, but that the real problem is a failure of application.

I can see Hartman's point of view, but I am not sure how it works in practice. There is the danger that you put all the technical controls in place but they then make the job too difficult. Rather than making errors, people then have to implement far more sophisticated work arounds that ultimately can be more risky. Equally I agree most training in all domains often fails to achieve its objectives.

Andy Brazier

No comments: