Bad Advice from the Uninformed and Inexperienced Hurt Information Security & Privacy Efforts

The results of the poll for this past week show that 91% believe information security and privacy training and awareness is important, but 9% believe it is not necessary to effectively safeguard data.
Well, I’ve had some very interesting conversations in the past few years, usually while at conferences and when chatting with vendors, who were emphatic about how awareness and training is “a waste of time and money.” As the results of my very unscientific poll show, while this opinion may be a very small percentage, it still could significantly impact information security program efforts based upon the folks who are putting down the awareness and training…the influence they have on non-infosec corporate decision makers could be very damaging to overall efforts…

I believe, based upon my many conversations with folks about awareness and training, that there may be some interesting characteristics for those who regard information security and privacy as worthless. What strikes me about this opinion is that the people who have expressed this viewpoint with me, 1) were from security technology vendors, and 2) had never been a practitioner responsible for the organization’s information security or privacy program. I’m not saying ALL non-practioner-exerienced technology vendors have this viewpoint; some are great advocates of education.
However, of the few information security industry folks I’ve spoken with who *ARE* passionate about spending money on technology and *NOT* on personnel education, these were the two characteristics that I noticed.
I believe that anyone who has ever been responsible for their entire organization’s information security program knows from practical and hard-knocks experience that raising the awareness and knowledge of personnel is imperative to protecting information assets. I was a practitioner for 12 years, and I *KNOW* it is necessary. I’ve seen it demonstrated. I’ve seen lack of awareness and understanding cause significant incidents, not only back when I was starting out, but also within many different organizations of all industries and sizes in the past going-on-8 years I’ve been consulting.
The information security and privacy practitioner leaders considered the best there are always emphasize the importance of awareness and training to protecting information.
Governments around the world recognize the importance and have made information security and privacy education for personnel a requirement within numerous data protection and privacy laws.
However, a very small percentage of high-profile technology-specific vendors with no experience in running an organization security program still make off-hand, non-substantiated statements, based upon pure conjecture or comparing apples to oranges, that education does not work. This worries me. When information security and privacy practitioners already have a hard time getting funding and resources (time, personnel, etc.) for personnel education activities, statements like this make their already tough jobs even harder. Statements such as this also give new information security practitioners bad advice and mislead them into making decisions that are not in the best interest of their organizations.
Hopefully information security and privacy practitioner leaders will challenge the next technology vendor, who claims that information security and privacy personnel education is worthless, to explain how much experience the vendor rep has in running an organizational information security program. When the answer is “uhmm…no experience” it will definitely be worth pointing out to your decision-makers that of course a technology-specific vendor, with no practical experience in running an information security program, will say that educating personnel is worthless; after all, he or she wants your organization to spend all your money on his/her products, and not on something they do not offer.

Tags: , , , , , ,

Leave a Reply