Nothing riles up information security professionals quicker than the question of how much to invest in security awareness training. Does it work? Is it worth the money?
"There are three things you don't talk about in security: religion, politics, and security awareness training," says Jennifer Minella, VP of engineering with Carolina Advanced Digital and a member of the board for the International Information Systems Security Certifications Consortium, or (ISC)2.
Not that security training doesn't work. In the 2014 US State of Cybercrime Survey by PricewaterhouseCoopers, 42% of respondents said security education and awareness for new employees played a role in deterring potential attacks. The financial value of employee awareness also was compelling, the report found, as companies without security training for new hires reported average annual financial losses of $683,000, compared with companies with training that said average financial losses totaled $162,000.
Security professionals generally recognize the importance of security awareness training as part of an overall information security plan. Users need to know they have a role in securing the organization's data. In (ISC)2's latest Global Information Security Workforce Study, adherence to security policy and training staff on security policy ranked No. 3 and No. 4 in effectively helping secure an organization's infrastructure.
But then there are high-profile security experts such as Bruce Schneier, CTO of Co3 Systems, who've argued that training is mostly a waste of time. Users aren't information security experts and shouldn't be expected to keep ahead of potential threats. These experts believe the focus on awareness training takes attention away from bigger industry issues such as failures in software design and lack of technical controls.
The dividing line?
For most enterprises, it's not a decision between training and no training. In many industries, regulatory compliance mandates some form of security awareness training for employees. Rather, the question is, how much training is enough? The list of companies suffering data breaches is growing steadily, and many of them made significant investments in training, raising questions about its effectiveness.
"It's weird that we are saying, 'Don't click,' to users," says Dave Aitel, CEO of Immunity, a security software company. Users should be allowed to do whatever they need to do for their jobs, and it's IT's job to create an environment with technical controls in place to protect them, he says.
The counterpoint is that users aren't stupid and should share some responsibility in keeping their companies' secure, Minella says. All employees, regardless of role or position, are expected to represent the company's strategic goals and behave accordingly at work, at home, and on social media.
"Security is not siloed anymore, and everyone needs to work together on common business goals," she says.
Awareness, not responsibility?
The anti-training camp argues that the emphasis on security awareness training frequently means that users catch the blame when a data breach occurs. A number of recent major data breaches began with a spear-phishing email, and security departments sometimes blame the compromises on "so-and-so clicking on the email" rather than concede that the organization didn't have the right security defenses in place.
"There is a difference between awareness and relying on training users to avoid the threats," says Anup Ghosh, CEO of security software firm Invincea.
If a company wants to protect sensitive intellectual property from corporate espionage, it acquires and configures firewalls and other defenses. But if the company is concerned about spear phishing, the answer is inevitably, "'We will train the users,' which doesn't make any sense," Ghosh says. Spear phishing should not be treated as a problem with users, but rather as an attack on users requiring a technical response.
InformationWeek Tech Digest (free registration required).