-----Original Message-----
From: Richard Zaluski [mailto:rzaluski@ivolution.ca]
Sent: Monday, January 09, 2006 1:46 PM
To: 'Brady McClenon'; Derick Anderson;
pen-test@securityfocus.com; focus-ms@securityfocus.com
Subject: RE: New article on SecurityFocus
I agree with Brady, it's frustrating to hear the same thing
over and over as
an excuse. Even a little education goes a long way. Yes sure
you will always
have the few people who just don't get it but does that mean
you abandon the
whole concept? No, not in our books.
Let me make it clear that I'm not "abandoning" user education and I'm
not denying the benefits of it. However in the context of security (a
separate issue from job training) I don't believe the benefits are worth
the cost.
I used to believe that if users were trained properly then they wouldn't
need anti-spam/virus/spyware/etc. because they'd know better than to do
stupid things like click on links to pictures of naked tennis players. I
used to put forth a lot of effort trying to educate users, thinking if
they knew the truth that their habits would surely improve. But as I've
said in my other post, a lot of users don't care or can't understand,
and it just doesn't make economic sense (to me) to spend time and money
when the practical and technical outcome (from a security perspective)
is essentially the same.
We (iVOLUTION) are a training and services company and have
done corporate
training in Security Awareness. Even some of the basic
principles we teach
have an immediate impact on calls to the help desk.
Every once in awhile I spam our users with a "how not to get owned by
the internet" spiel, which reminds them of the basics of emails and
attachments. I've got nothing against the basics here, but expecting
education to compensate for good security practices and securely
designed systems is going too far.
If a company has excess funds and time for this sort of thing after
hardening their workstations, servers and network, implementing
additional layers of security, and auditing network usage policies,
great. Otherwise, spend the money and time securing things that don't
have minds of their own. =)
I think for the case of the 'Best Buy's' out there providing
training along
with a PC, it's a nice thought, but it's a cost to them
unless they can
market it and make money on it its not going to happen. The
margins on PC
sales are thin so any additional costs added on is a hard sell to
management. Companies such as that are into moving inventory.
Agree. The last time I bought a car, the dealer didn't make me re-take a
driver's test.
Thanks
Richard Zaluski
CISO, Security and Infrastructure Services iVOLUTION
Technologies Incorporated
905.309.1911
866.601.4678
www.ivolution.ca
rzaluski@ivolution.ca
Derick Anderson
---------------------------------------------------------------------------
---------------------------------------------------------------------------
