Analysis: Certified SANS instructor and leader in security training, Lance Spitzner, argues that security ‘geeks’ are not the right people to run security education.
As security threats get more advanced, the products being built are fighting to match them. One element not being secured is the human factor, and it is something SANS’ Lance Spintzner wants to set right with security awarness education programmes.
For Spitzner, the first problem is to highlight who is actually in charge of those security awareness programmes to help individuals secure themselves and their firms.
"Over 90% of security awareness officers, security culture officers, whatever you want to call them, are geeks. They’re IT admins, security analysts, web developers. Who are the worst communicators in the world…geeks. So the very people in charge of the awareness programmes are the people who shouldn’t be."
Spitzner therefore thinks that to bring about the cultural and behavioural changes required to help make individuals safe, there needs to be a fundamental change in who delivers security awareness courses, because communication is critical.
"What happens is geeks in charge of awareness they jump right in and start talking about two factor authentication, or password managers or things like that. Take a step back, people have to understand why this is important. "
He wants "communicators, public relations people, marketing people, sales people" acting as awareness officers in their companies instead.
This is because he thinks that the approach many security professionals take towards their role and security in general is arrogant: " They’ll say with almost a bit of arrogance that people are stupid, you can’t patch stupid, you can’t patch stupidity, they go and they blame the people.
"What we need to do is blame is ourselves, because, if you look, we’ve done everything to secure Windows and nothing to secure the human OS".
Of course, resources are always an issue, and Spitzner is clearly concerned that firms are not even assigning people to these kind of roles in the first place.
"In the UK right now, you have a lot of organisations with over 100,000 people and maybe there’s half a person in charge of awareness…and they have no support," he says.
However, he does think that, being led by finance and defence, this is slowly changing. In the US, he sees industries such as manufacturing also taking cybersecurity education seriously.
What is surprising when talking to Spitzner, is that he is not overly concerned with very technically proficient attacks. Again it’s the type of thing geeks get concerned about the theory of, but is not borne out in reality.
The things we still have to be highly aware of is phishing, which he says is 90% to 95% of attacks, with much of the rest taken up with good old fashion phonecalls. "The best hackers, social engineering hackers, are simply good liars," says Spitzner.
Even in a world where advanced persistent threats (APT) are becoming an increasingly hot topic, phishing is still the critical issue, he says.
"For APT its the persistent part that makes them dangerous. The A part they’re just using boring phishing. The bad guys are not going to bust out their super uber fancy exploits unless they absolutely have to so they always try phishing first."
Again this all comes back to communication, and making sure the right the people are making people are of the right threats to themselves and their colleagues. We still have a long way to go.