Just a quick post today, because I know everyone's traveling around with Black Hat kicking up, and other conferences in full swing right now as well ... but something we've been hitting on today just struck a nerve and I felt like I needed to write it up for everyone's benefit. We've been talking about whether user awareness is a good idea, so much that there are two camps (more, and more) now and some that dissent with both, (Complete with xtranormal movie, LOL) that are seemingly at war over whether it's a good idea to even spend money on user training?
It is my professional opinion that user training, where it fails, does so because employees don't feel like they have any personal stake in "doing the right thing". Most of the user awareness training I've ever had the pleasure of being put through only speaks to the company and my responsibility to the company/organization - but never gives me any stake in the game.
I'm 100% confident that I'm not the first person to discover this, or try to think about how we can get users to start thinking about how they can keep themselves, and the company, safe while using their own personal devices loaded with corporate 'stuff'. Does it make sense to repurpose "security awareness training" to be more inclusive of corporate and personal responsibility? Should we have users sign agreements that makes them aware that they are responsible, personally, when bad things happen as a result of their reckless actions? Should there be HR actions against users who are reckless, or otherwise do not follow standard best-practice? Wait ... does this mean we have to now provide users with sane usage guidelines? Oh boy...
So here's how I see this, sort of step-by-step.
Allow users to bring in their own devices (BYOD) if and only if they're willing to ...
- Go through a mandatory training course which outlines their personal responsibility to the data and to the company
- Allow for some measure of corporate control on their personal devices (minimal invasiveness)
- Accept personal responsibility (maybe even a measure of liability) for incidents and issues that arise from not adhering to reasonable usage guidelines
Now ... the corporate IT Security organization will need to...
- Work with HR to make sure we're not just talking at our employees scaring them with the hacker bogeyman, but rather talking to their human side about how they are personally responsible and liable for issues
- Work with legal to set limitations of shared responsibility and liability
- Work to provide standard usage guidelines that are easy to understand, easy to adhere to, and minimally invasive
- Provide back-end auditing to monitor the user of corporate data (psst, back to basics we go!)
So much for a short post then ... but the idea is this - users need to understand that they share liability and responsibility for corporate mishaps with corporate data. This doesn't mean they mindlessly sign a paper after clicking through some slides - this means a level of awareness and understanding that teaches rather than scares.
Now ... where's that productivity increase everyone keeps talking about?