I address the Virtue of Education last since it reflects back on all the previous virtues. I have already introduced several areas where continual attention needs to be given in the practice of security. You may wonder how any one person can accomplish all this and still get any work done. Security, however, is not a lonely task that can be performed by a single individual. If security is to be a daily effort, a community effort, and considered in everything, then everyone must be involved, to some extent, in security practices. Therefore, everyone involved needs some degree of security education. Who's Really in Charge?Here is a good thing to think about: Every workstation attached to a network has a great influence over the security of everything else in an organization. Thus, the security of information is literally in the hands of those using the workstation, the end-users. Wouldn't it be nice if they had a little training to go along with the extreme power they possess? I don't care how much an organization has spent in making its clients thin, centrally monitored, and centrally controlled, the end-user still has great influence through his or her workstation and local network connection. By training IT staff members, managers, executives, and all end-users on good security practices, we can transform end-users from being a security risk into actually aiding in maintaining the security of an environment.
It is important to remember while implementing security that most attacks on an organization are only successful because of an uninformed or careless administrator or end-user. Most systems connected to the Internet will be lucky to go five minutes without being probed for weaknesses by someone, somewhere. This makes it far more likely that the security administrator will not be the first person to discover a vulnerability an end-user has introduced into the system. With this in mind, it is certainly worth the training effort to ensure that end-users have the knowledge and interest in maintaining the security of their workstations and the environment. Without the training and participation of the end-users, security is very difficult to achieve in any organization. The Psychological ObstacleThe practice of training and keeping end-users updated with security information does not have to be difficult. Many organizations accomplish this with moderate budget and resources. The most common obstacle to creating an environment unified in its security practice is an artificial barrier that is drawn between IT staff and the end-users. Tension often exists between technical and non-technical personnel. This plays a very significant role in security practices since the people making security decisions are sometimes the individuals who would rather be thrown to the lions than try to train a group of end-users (and I'm sure the feeling is mutual).
We must always remind ourselves and those around us of one vital concept: Security is of great importance and it cannot be done alone! There is no technological solution for security that cannot be undone by a group of untrained, uninformed, or uncooperative end-users. A good security professional is one who is able to perform his or her duties while maintaining contact and a good relationship with the actual technology users. Practicing This VirtuePracticing this virtue does not mean we need to send all the end-users to get certified in security. Nor does it mean that we need to go to every desktop and show each person how to properly secure his or her computer. We simply need to make the end-users aware of security. Users need to understand that security is a very serious matter, and that the only way to keep the organization secure is to have everyone be responsible for his or her own part. Some important guidelines to stress to end-users include:
It should be stressed that security measures protect everyone in the company. When anyone bypasses these procedures, it may allow a hacker access into the environment and compromise the safety of everyone's information. Here are some interesting ways to introduce end-users to these concepts:
|