I hope that headline got your attention. That was my goal. It’s offensive when someone generalizes about the overall intelligence and thoughtfulness of an entire group of people. And yet, that’s the habit we as an industry seem to have fallen in to. In IT and in InfoSec, over and over again I hear “Stupid users”, “those idiot users”, “my users are such dumb shits”. It’s almost a mantra; it’s uttered that frequently.
My focus here is in the security realm because that’s where I am and what I do. In the security community, I hear the sentiment echoed over and over again as well. Dumb users who repeatedly “click on shit” that ends up compromising my security. I’d like to turn that around a bit. Any time one of my users “click on shit”, I’d like to suggest that it is I who have failed and not them. Myself and my team have failed to properly educate them, I have failed to teach them how to identify the latest phishing scam, we have failed to teach them to type the URL themselves rather than blindly clicking on links. We have let the company down, not those “dumb users”. I feel very strongly that a big part of my job should be end user education. As tired as military analogies maybe, they are our front line, they are our border guards. Without their participation and involvement in securing our environment, we can’t ever hope to be successful.
So please stop looking down at those “dumb users” and make them a part of your security team. Educate them and make sure they understand that they play a vital part in securing the enterprise. In fact, as a whole, I could argue that they play a much more important role than you do, so please act like it.
Also, please consider bringing your expertise to the newly launched Security Awareness Training Framework (SATF). We are working to develop a framework (similar to what is being done with Penetration Testing PTES) that will help security programs and practitioners develop a complete and comprehensive security awareness program. This isn’t a small task but we are a small group of folks working on this in our free time and any extra set of hands would be appreciated.
P.S. I don’t think information security folks are dumb, in fact, I’m often awed and intimidated by the intelligence of some of my peers.