Stupid Information Security people
I hope that headline got your attention. That was my goal. It’s offensive when someone generalizes about the overall intelligence and thoughtfulness of an entire group of people. And yet, that’s the habit we as an industry seem to have fallen in to. In IT and in InfoSec, over and over again I hear “Stupid users”, “those idiot users”, “my users are such dumb shits”. It’s almost a mantra; it’s uttered that frequently.
My focus here is in the security realm because that’s where I am and what I do. In the security community, I hear the sentiment echoed over and over again as well. Dumb users who repeatedly “click on shit” that ends up compromising my security. I’d like to turn that around a bit. Any time one of my users “click on shit”, I’d like to suggest that it is I who have failed and not them. Myself and my team have failed to properly educate them, I have failed to teach them how to identify the latest phishing scam, we have failed to teach them to type the URL themselves rather than blindly clicking on links. We have let the company down, not those “dumb users”. I feel very strongly that a big part of my job should be end user education. As tired as military analogies maybe, they are our front line, they are our border guards. Without their participation and involvement in securing our environment, we can’t ever hope to be successful.
So please stop looking down at those “dumb users” and make them a part of your security team. Educate them and make sure they understand that they play a vital part in securing the enterprise. In fact, as a whole, I could argue that they play a much more important role than you do, so please act like it.
Also, please consider bringing your expertise to the newly launched Security Awareness Training Framework (SATF). We are working to develop a framework (similar to what is being done with Penetration Testing PTES) that will help security programs and practitioners develop a complete and comprehensive security awareness program. This isn’t a small task but we are a small group of folks working on this in our free time and any extra set of hands would be appreciated.
P.S. I don’t think information security folks are dumb, in fact, I’m often awed and intimidated by the intelligence of some of my peers.
Chris,
Great article. I couldn’t agree with you more that we need to educate our users. In my security classes my professors are constantly asking us how we would educate our users on the latest threats and how we would implement this education into our security policies. Education is key.
Mic
17 Oct 11 at 3:03 pm
Great post! Totally agree with you. Security guys don’t think education is part of their job, but it is. The same thing applies to educating developers on how to build secure code instead of saying that they are the creators of all vulnerabilites. BTW the link for the SATF group is only for members already, you should use this one instead: https://groups.google.com/group/SATF-workinggroup.
Regards,
Magno Logan
OWASP Paraiba Chapter Leader
Magno Logan
17 Oct 11 at 3:27 pm
[...] linked to an article on the blog called Tales of Ordinary Madness. The article was entitled ” Stupid Information Security People“. This article talked about how we shouldn’t be blaming the users when a security [...]
It Takes a Village to Protect a Network « Fighting In.Security
18 Oct 11 at 11:51 pm