In our exit interviews, I am often asked, “What is the one thing that we should be focusing on as an institution?�

The one thing… the answer that I always give is… is education… both to staff and customers. This simply cannot be said enough. As Information Security professionals we are often guilty of spending a disproportionate amount of the time focusing on the protection of the network, often times forgetting that every single user is essentially another extension of that same network. Users can be regarded (and forgive the inhumanity in light of the illustration), as essentially an exposed terminal to an attacker. Users can easily and unwittingly serve as a vulnerable biological interface to an otherwise secure network. Think of a user as a modem that never gets turned off. When we regard our users in these terms it becomes easy to understand the importance of ongoing security training. How often do we patch our systems, firewalls, and routers? In contrast, how often do we patch our staff?

I’ll leave a discussion concerning the best methods for training for another time. For now, suffice it to say that the vast majority of all security breaches can still be tracked to down to human error. Yet… where are the vast majority of your security resources spent?

Courtney Treadaway