I’ve heard any number of cyber security professionals downplay the effectiveness of employee awareness and training initiatives. I get it. IT experts love their technologies and their gadgets. It’s why they do what they do for a living. To get these individuals to concede that human safeguards are as important as technical safeguards can be an uphill battle.

But what I don’t get are the industry leaders who put no stock in security education whatsoever. These individuals don’t just downplay the effectiveness of training, they flat out tell people to give up on it. Flying in the face of studies by PwC, IBM, Aberdeen, and others, they’ve publicly shared opinions like these:

I couldn’t disagree more. And before you chalk that up solely to the fact that I am the CEO of a security education company, my strongly-held belief in the power and effectiveness of user education is much deeper than my drive for success in pursuit of a business opportunity. Quite frankly, I simply don’t understand why people who clearly value education in some contexts are willing to disregard its merits as it pertains to employees’ security behaviors.

Why the assumption that employees can’t learn to be safer?
I find it interesting (okay, outrageous) that security experts and industry players who vocally bash employee training have themselves benefitted immensely from education and who no doubt seek well-educated, experienced individuals to assist them in both their professional and personal lives. It is education, after all, that enables a high school graduate to become a brain surgeon. It’s training that allows an IT generalist to get up to speed and effectively manage a proprietary software platform. It’s education programs that inform employees about company-specific policies and procedures and allow them to execute against plans and directives.

Why the concession that those types of education bear fruit, but security education does not?

It’s important to explore the motivations of the anti-education crowd. Some of the most outspoken anti-education promoters are hardware and software executives — and they’re in the business of selling you network security products. So where do their loyalties lie?

The difference is that I would never tell you to turn off firewalls, disable email filters, or banish technical safeguards. It isn’t an “either-or” in my book. In fact, I think education is most effective when it works with technology to strengthen an organization’s overall security posture. But companies that are not educating their employees are doing themselves a disservice by overtaxing their hardware and software and thereby deciding that their IT teams are better suited to fighting fires from preventable mistakes than they are to furthering business goals.

The dangers of downplaying education
I shared what some opponents of security education have had to say. Now here are some quotes from industry experts who support security education:

Interestingly enough, I have never heard a return on investment or risk reduction argument from the anti-education crowd. Their advice doesn’t appear to be based on statistics or studies, just personal preferences.

[Learn more from Joe about the importance of user security education during his conference session, Social Engineering Lesson FromThe Real World, Friday, May 1, at Interop Las Vegas.]

But what I find most dangerous about the anti-education mindset is that it promotes stagnation within organizations. If there is no possibility of your staff learning anything new, perhaps all the hardware and software companies should stop innovating because new technologies require educated individuals to implement. If education is not of value, perhaps organizations should stop requesting resumes and applications and simply pluck individuals from the sidewalk and put them in business-critical roles.

Ridiculous? Yes! And why? Because there are always avenues for improvement. And all of those roads are forged by education. Industry data overwhelmingly supports the value of security education. The naysayers are just choosing to ignore the data and spew personal opinions rather than empirical evidence.