Sunday, October 6, 2013

Security Education, Training, and Awareness: Is it Useful?

As with every profession in life there is some sort of training requirement to keep you at the so called"tip of the spear" in your field. Information Security is no different. There are annual training requirements, seminars, and courses designed to keep the INFOSEC personnel up to date on the current and emerging threats. This seems pretty simple, your field requires some sort of training to stay current but the reality is that some in the field believe that this training is a waste of time. That training is not effective at helping employees prevent mishaps in information security or that it takes away from the IT professionals job responsibility. Well, personally I think that all of these reasons are invalid and a lot of training needs to be done by everyone who uses technology in the workplace.

Think about it. How can you expect to enforce information security policies and principles without some sort of training or familiarization for your organization. Remember, we work the systems, we operate the computers, and we have the breaches in data. People must be taught to secure information within their organization, it is not a natural response that we are born with. Also training must be relevant to the organization your in. You do not need to be trained on everything, that is what IT is for. You need to be educated on your part within the organization.

So, what does this mean? That humans are the weakest link in information security and privacy. Computers and technology will not divulge any information it is not made to or given a command to. The technology does not leave itself to where unauthorized people can access or view it, we do. So, when it is said that an organization does not need security awareness training then that organization must like potentially dangerous situations or potential lawsuits from loss of private information. It is not good business to ignore an essential task such as protecting information from unauthorized disclosure.

To learn more, read the following:

http://blog.noticebored.com/2012/05/this-years-uk-information-security.html

http://www.infosecisland.com/blogview/22152-Not-Providing-Education-is-the-Dumbest-Idea-for-Infosec.html

https://securosis.com/blog/security-awareness-training-evolution-why-bother-training-users

No comments:

Post a Comment