For the Thousandth Time: Security is About Training Users

Commentary: Security is mostly a people issue, not a technology issue.

You can throw as much technology as you want at securing your organization but, when it comes down to it, you dont stand a chance unless your end users are aware that what they do—or dont do—has a lot to do with how secure your enterprise is.

At the 29th Annual Computer Security Conference and Exhibition in Chicago this week, security vendors and consultants kept stressing one point: Security is mostly a people issue, not a technology issue.

Here at eWeek Labs, weve written so many stories on the importance of internal security policies, on security training for employees, and on social awareness that IT managers reading these stories probably roll their eyes and think, "Well, duh." But guess what? We continue to receive an inordinate number of letters from IT managers commenting on how idiotic their end users are when it comes to security. If an end user doesnt realize you have to remove a mouse from its packaging in order to use it, can you realistically expect him or her to realize that scribbling a password on a Post-It note tacked to a computer monitor is not what you meant by "safe-keeping?"

Snicker all you want, but its true. Just ask Joe Duffy, Partner-in-Charge of the Security Practice within PriceWaterhouseCoopers Global Risk Management Solutions (GRMS) practice, who has heard his share of security breach scenarios involving employees. Duffy, who at the conference presented a model for figuring out how much security is enough, would be the first to tell you that managers need to consider training when determining how much to budget on security.

The CS/FBI Computer Crime and Security Survey 2002 found that 90 percent of respondents (primarily large corporations and government agencies) detected computer security breaches. Of that group, 43 percent were able to quantify a total of $455,848,000 in financial losses. Hoping to stave off some of those losses, IT managers are finally taking steps to train their employees. At the Federal Reserve in Washington, D.C., Kathryn Ogborn inundates new employees with security training, and messaging designed to promote awareness. And at St. Jude Medical Inc. in St. Paul, Minn., David Stacy developed a multi-language IT Security Awareness e-Learning program used by 4,000 users in 22 countries.

These IT managers are among the few making inroads toward securing their corporate infrastructures by focusing on training of end users. Unfortunately, however, many others have learned why its so hard to sell top management on investing in security training for end users: Deploying a global e-Learning curriculum isnt cheap, and its impossible to show a clear return on investment. Still, if enterprises are ever going to really solve their security problems, IT managers will have to find a way to sell the bean counters on end user training.

How are you selling CXOs on security awareness programs? Write to me at