I wouldn’t have though, based on the title, that I’d be blogging about this, but then again one can get fed up with fed up with purely InfoSec blogs, ranting and raving about technology, techniques and ISO27000 and risk and all that.
But this does relate somewhat to security as awareness training, sort of …
My problem with training per se is that it presumes the need for indoctrination on systems, processes and techniques. Moreover, training assumes that said systems, processes and techniques are the right way to do things. When a trainer refers to something as “best practices” you can with great certitude rest assured that’s not the case. Training focuses on best practices, while development focuses on next practices. Training is often a rote, one directional, one dimensional, one size fits all, authoritarian process that imposes static, outdated information on people. The majority of training takes place within a monologue (lecture/presentation) rather than a dialog. Perhaps worst of all, training usually occurs within a vacuum driven by past experience, not by future needs.
I can’t simply throw that at the wall of InfoSec training and hope it sticks, even though a lot of InfoSec is, unlike what we say about check-lists, a sort of Chinese menu of ‘best practices’ that, since we can pick and choose for our context and of course since Context is Everything they become ‘best for you’ practices.
The thing is that you need to be smart enough about InfoSec in the first place to be able to determine what is and isn’t appropriate (which is why the Big N-1 can make their bucks telling ignorant people what is ‘Best Practice‘ as a one-size-fits-all standardized product). Experienced people, though, also have the humility to realise that they are not omniscient and infallible (we just appear that way to the less experienced) and so look to ‘lists’ to see what they can learn.
I remain hopeful on alternate days.
- Let Me Tell You Some Akamai Security Stories (blogs.akamai.com)
- What Clients Look For In Their Creative Leadership – Forbes (serve4impact.com)
- RIT InfoSec Awareness an Interview With Ben Woelk (veracode.com)