There has been a lot of discussion over the past few months regarding an article entitled: Why you shouldn't train employees for security awareness. Here's my response.
There has been a lot of discussion over the past few months regarding an article entitled: Why you shouldn’t train employees for security awareness. This viral article from last summer is still very popular. It was written by Mr. Dave Aitel, who is the founder and CEO of Immunity. If you’re not familiar with this debate on the value of cyber awareness training, I recommend taking ten minutes to check out Mr. Aitel’s views and the corresponding comments.
After reading this article as well as many rebuttals, I believe a few common themes emerge:
1) The majority of cyber experts and technology leaders disagree with Mr. Aitel for a variety of reasons. The verdict seems to be that we need an “all of the above” approach when it comes to training as well as other activities, policies, tools and cybersecurity actions. The conventional wisdom says we need answers relating to people, process and technology – and awareness training helps the people and process part.
One of my favorite rebuttals was written by Boris Sverdlik at Infosec Island. For the most part, I agree with Mr. Sverdlik’s perspective on this topic.
2) Mr. Aitel is not alone in his views on awareness training. Bruce Schneier, a well-known security blogger and industry expert, wrote this piece on the topic. Similar articles were written last year. Read this response to dropping security awareness from Spiceworks, written last July.
3) There is no doubt that Mr. Aitel makes many good points that need to be taken seriously. Who can argue with any of the these seven actions (described in more detail in his article):
The Good, the Bad and the Ugly with this ‘Shock Marketing’ Approach
But rather than just echo other rebuttals, I’d like to address a broader set of implicit questions that this article raises. Specifically, what are the positive and negative ramifications to throwing end user awareness training (or for that matter, any other training, technology, policy or approach) under the bus? Why do we instinctively react negatively to Win/Lose articles and blogs like this?
Perhaps most important: Does this article make CISOs and other security leaders want to implement his seven actions or buy his product more? I think not.
I basically view this piece to be a form of “shock” marketing or advertising to get our attention. Why shock advertising? Because the words are carefully chosen to force a strong reaction. Notice that the headline is not: “How to follow an offensive security program,” or, “Seven essential security steps for organizations,” or even, “Why Immunity offers the best … whatever.” Those titles would not have received the same level of viral attention and would yield minimal page views. No, the approach seeks to grab our attention with something we inherently want to argue or defend or discuss.
Lest I be accused of not practicing what I preach, I want to present my response in a respectful manner to this particular author and training issue. Nevertheless, I think my concerns are relevant for other topics that use a similar marketing approach. We’ve all seen similar techniques used for various products and services.
I don’t know Mr. Aitel or his company, but he seems to be an articulate security executive with a positive reputation and a good set of credentials. I have nothing for or against him or his company. Rather, I think this is a good example of an author trying to get noticed in a very crowded social media market vying for our attention. What’s the result?
What are the good aspects of this article? First and foremost, shock marketing gets you noticed. There’s no doubt that I now know who Dave Aitel is. Before I read this article, I didn’t know anything about him or his company. I’m even writing a blog about his article, along with dozens of other bloggers.
A Google search on this headline, gets big results. Immunity has more people going to the company’s website. I’m sure Dave also has more LinkedIn requests for connections. These are all sales leads.
No doubt, many people have emailed him and unloaded all of the things that they think are wrong with their company’s awareness training program(s). He may even be attracting a few hackers with talent to join his company.
Second, this article also draws attention to his points regarding other cyber priorities. It shines a light on other important aspects of cybersecurity.
One bad aspect of shock marketing is that it can turn people off. Yes, you get your name out there to make a point, but are you changing people’s minds? Are you getting noticed for the wrong reasons?
More important, he might be associated with a negative image that is hard to undo. What stuck in my mind a few days after reading the article is that he thinks awareness training is a waste, and not his other seven points.
But the ugly part of this article is a perception it leaves regarding a potential lack of integrity. Now I must say up front that the author may indeed believe what he is saying about awareness training. I don’t know his true motives or beliefs. Perhaps he really thinks that end user awareness training activities are a total waste of time and money.
But if this is so, why does he end the article the way he does? Here’s an excerpt:
“By following an offensive security program, companies can keep their networks, and employees, protected.
Dave Aitel, CEO of Immunity Inc.... His firm specializes in offensive security and consults for large financial institutions….”
Notice that the answer given is to “Follow an offensive security program.” This is a classic “Win-Lose” example from Covey. Or in other terms, don’t spend your company or government dollars on awareness training, but buy my products and/or services instead.
On the other hand, a similar article by Bruce Schneier looks at the arguments for and against awareness training, without trying to sell me his products in the process.
Improve, don’t remove, security awareness
In conclusion, there are a long list of reasons that security awareness training makes sense, as described in other rebuttals. Businesses have audit findings to address, processes that need refining and pragmatic compliance reasons to train employees.
And yes, there is plenty of poor and meaningless awareness training out there. I agree that awareness training must be improved and results measured. Over the past year, I have advocated new approaches that offer more intriguing awareness training that is brief, relevant, timely, fun and changes behavior.
And yes, cost is a factor. I suspect that some organizations spend too much on awareness training. However, most state governments spend less than 1% of their security budgets on awareness training.
Most important, if you really want to change my mind and convince me to stop offering awareness training – let the arguments stand alone.
And if you want me to buy your product – try a different marking approach based on WIN-WIN principles. Please don’t trash awareness training in the process.