What do you think this is?

just thoughts of a restless mind...

Training headaches

I appreciate training and am always eager to learn something new, but I have yet to settle on a preferred form of instruction. However, there is one that I find particularly challenging, and since I've recently been considering the possibility that the effectiveness of the security training and awareness we provide may vary depending on the mode of delivery, I thought I would write down my thoughts. Here are my personal choices.

What to do with the center of security?

Some years ago, during a (quite extended) phishing avalanche in the company I was at the time, the (then) CIO said: Let's fire every user that falls for a phishing mail! That will solve the problem for good. I considered it a joke, and I replied pretty much with a rhyme: Let's train them before we blame them and I didn't give it a second throught. We went on to deploy some training modules, but never really implemented the technical controls on the mail server; an activity that if had been implemented, several of those phishing mails would never have entered the company. I think that this is not strictly a user failure and I'm inclined to blame the IT deparment more than the user.