If People Aren’t Trained The Best Security Will Go For Naught

This week there has been much talk in the U.S. news about how Andrew Speaker, the now notorious TB patient (more specifically extensively drug-resistant tuberculosis, or XDR-TB), apparently very easily circumvented security controls to come back into the U.S. via Canada.
My heading is a paraphrase of a longer quote I really like from Charles Schumer that he made about this incident, but that also applies very nicely to all information security practices.

Reports indicate Speaker was able to cross into the U.S. through the Canadian border checkpoint because the agent there did not follow procedures.

“The Department of Homeland Security, which oversees border security, blames the agent entirely for the mistake. And it says the employee has been re-assigned to administrative duties saying, “The system worked effectively, but there was a breakdown with the employee.””

Yes, even with the best security procedures in place, if your personnel do not follow them, security breaches will occur.
I’m not sure the agent truly is “entirely” to blame; I don’t know all the details involved…there is probably much more to the story than what has been reported. The agent may just be an easy scapegoat for the DHS to blame.
However, it does demonstrate that the human element truly is the weakest link in security. Not only for national security, but any place where you depend upon people to follow specific procedures in order to have security be effective and prevent incidents.
As I read about this case, and how quickly the DHS was to blame the agent “entirely,” I wondered…
* How was the agent trained for these procedures?
* Did the agent just receive a memo, or did s/he receive effective, comprehensive training about how to do checks and properly respond to the warnings to the passport checks?
* Did the agent get this training only once, with no more awareness messages to follow-up, or did s/he receive ongoing awareness messages about the importance of the procedures to reinforce understanding?
* Did the agent’s manager allow for procedures to not be followed without applying sanctions?
* Did other agents also routinely not follow procedures for flagged passports?
As I mentioned at the beginning, I really like the Schumer quote about this…

“Sen. Charles Schumer, D-N.Y., also expressed concern. “You [can] have the best computer system in the world, but if the people on the job aren’t properly trained and don’t execute their job properly, that great computer system will go for naught.””

Yes, training is an important key to security success.
More organizations need to realize this. More resources need to be put towards awareness and training efforts.
CIOs and CISOs need to do better job making the case for information security and privacy training and awareness. As an article this week talks about how information security leaders must maintain metrics to more clearly show to the business executives, who understand metrics better than information security techno-babble, how security training efforts make a difference in the security environment for the business.
Very few security leaders create baseline security metrics and then maintain ongoing metrics to demonstrate the impacts of training and awareness efforts.
Too many business executives and information security leaders believe nonsensical reports, based upon flawed logic, that compares technical apples to training oranges and arrives at the hugely flawed conclusion that awareness and training has no impact on improving information security and privacy.
More information security folks who depend completely upon technical security controls need to understand this.
Yes, I really like Schumer’s quote. In fact, I think I’ll put it out there again.

“”You [can] have the best computer system in the world, but if the people on the job aren’t properly trained and don’t execute their job properly, that great computer system will go for naught.””

Tags: , , , , , , , , ,

Leave a Reply