As a person who primarily focuses on the human aspects of security and implementing security awareness programs, people are surprised when I am neither upset nor surprised when there is an inevitable human failing. The reason is that I have come to the conclusion that most awareness programs are just very bad, and that like all security countermeasures, there will be an inevitable failing.To read this article in full or to leave a comment, please click here(Insider Story)
As a person who primarily focuses on the human aspects of security and implementing security awareness programs, people are surprised when I am neither upset nor surprised when there is an inevitable human failing. The reason is that I have come to the conclusion that most awareness programs are just very bad, and that like all security countermeasures, there will be an inevitable failing.
I have to admit that it is frustrating to have to argue with people who claim that awareness is always bad. They argue that since there will always be a single failing, then it is not worth the effort to have an awareness program in the first place. Of course, I vehemently disagree. However to debate people, and address their points, at least in the eyes of decision makers, you need to understand the foundation of their arguments and accept the premises that are true.To read this article in full or to leave a comment, please click here(Insider Story)
I started to review the recently published Black Hat Attendee Survey. This study primarily focused on the concerns of practitioners, including how they actually spent their times and the losses that they incurred.
In another article, I will try to compare those concerns with the actual conference content. For now though, the most notable statistic is the prominence of awareness related concerns, as a pain point for security professionals.
Clearly, the news media and study after study indicate that attackers target poor awareness on the part of end users and administrators. It has been reported that spearphishing was behind the Sony and TV5Monde attacks. The Sony results are well known. The TV5Monde attack was originally credited to ISIS sympathizers and the fact that TV5Monde actually televised many of their passwords while broadcasting an interview from their studios. Passwords were written on a white board in the background. Whether the attack was the result of televised passwords or spearphishing, it is still a result of user actions.To read this article in full or to leave a comment, please click here
Everyone seems to think that there’s a lack of qualified security professionals, and that the reason is that there aren’t enough people entering the field with the required skills. There is a fallacy behind that thinking, though. People think that security is a stand-alone discipline, but it is actually a discipline within the computer field. Treating it otherwise is a mistake.Most of the people who have been in the security profession for more than a decade, including me, entered the field without a cybersecurity degree. We might have certifications, but we don’t claim that those certs are the source of any expertise we may have.My own experience is not atypical. In all of my years of working, as an employee or contractor, for the National Security Agency and other military and intelligence agencies, I never performed specifically what would be considered security work.To read this article in full or to leave a comment, please click here