One of the fundamental problems with most businesses today is that they are not investing in providing IT staff with basic information security training. Many companies have compartmentalized in such a way that security and operations don’t meet. And, in fact, quite a few organizations have fostered an environment where IT actually views security as a hindrance to productivity!
As less and less IT pros are taught the fundamentals of security, more and more organizations are becoming dependent on off-the shelf solutions. Sooner or later I expect there to be a reality TV show called “The Great Security Bake Off” which will test to see if anyone can be found who knows the basic principles of IT security!
The situation is further exacerbated by the executive staff, both the C-Suite and Auditors, who are primarily concerned with box-ticking in order to meet regulatory compliance requirements. They have become focused on the letter of the law rather than the spirit of the law.
PCI-DSS standards are an excellent example. Were companies to take the recommendations of PCI and genuinely attempt to put them into practice, rather than simply do what is necessary for appearances sake, there would be far less data breaches. The problem for many companies, is that they equate compliance with security.
Take the example of Anti-Virus (AV). This is an industry that is worth almost $8 Billion annually and yet in a 2013 study by Imperva the top 40 AV products had an initial detection rate of less than 5%. In many cases it took the AV vendors a month to make the necessary updates to their products.
Consider the sheer insanity that a company most people had never heard of, Mandiant, became an overnight success when it released a report directly implicating China in cyber espionage. That was a revelation! Three months later it is being bought for a stock and cash deal by Fireeye, which now has a Market Cap of $5 billion. And what does Mandiant do – it tells you that you’ve been hacked – presumably by the same malware that its parent fails to spot.
IT professionals line up to buy all this stuff. After all, it must be good if it’s worth that much money. This is the same logic that concludes that smoking must be good since the tobacco industry earns billions of dollars annually.
Ultimately, what vendors are doing is selling Bullet Proof Vests but adding that “not all bullets will be stopped” in the fine print. Unfortunately most people don’t read the fine print!
What are your thoughts on the state of IT security training? Leave a comment below.
You can follow us on Twitter.