Ira Winkler: Stupid users, or stupid infosec?
When security professionals see stupidity all around them, shouldn't they ask themselves whether it's their own precautions that are lacking?
Computerworld - I regard Thornton May as a thought leader in the field of information technology, but his Nov. 19 column, "Can Infosec Cure Stupid?", had me scratching my head.
Unusually for him, May's underlying assumptions are flawed. He argues that end users are generally stupid, his evidence being that they don't understand how the devices they use work and that they do stupid things with those technologies that render them vulnerable. His solution: All users should have a brain trust of security-savvy people they can turn to with their questions. I know many of the smart people that May says make up his personal brain trust, and I certainly hope none of them told him that this column was a good idea.
Let's look at the "people are stupid" assumption. It's true, May contends, because you would have to be stupid to leave your laptop or cellphone at an airport checkpoint or in a taxi. But hundreds of thousands of people have done this. In a group of that size, there are going to be people who avoid all guidance and do things purposefully or ignorantly wrong, and can be considered "stupid." But how many are we talking about, really? Those hundreds of thousands of people include people from all walks of life, including high-ranking executives, which is why their carelessness matters so much. Is it really helpful to chalk up that carelessness to stupidity?
I have to think that this situation -- hundreds of thousands of reasonably bright people just walking away from valuable assets like laptops and smartphones -- demonstrates not their stupidity but a flaw in the measures taken by security professionals. Think about it: If something happens so often, and clearly is not done intentionally, then a good security professional should realize that the problem is not the people but the process. So who's looking stupid now?
A good security professional should realize that airport checkpoints are mentally overwhelming for even "smart" people. People are rushed. They are forcibly separated from their laptops and other devices, among many other personal belongings. There is a lot for people to account for under stressful conditions. I even know many smart security professionals who have left devices behind.
What is smart is for security professionals to acknowledge that while they cannot prevent laptops from being left behind, they can ensure that the laptops are physically marked so that the TSA can restore them to their proper owners. They can install laptop-retrieval and whole-disk encryption software on the laptops. They can make sure that any data on a missing laptop can be remotely wiped.
More by Ira Winkler
- Ira Winkler: 6 failures that led to Target hack
- Ira Winkler: The RSA Conference boycott is nonsense
- Electronic privacy? There's no such thing
- Guys, stop creeping out women at tech events
- Ira Winkler: Stupid users, or stupid infosec?
- We're missing out on the value of security awareness
- Are your security professionals qualified?
- Ira Winkler: Press falls short in reporting on chip hack
- 8 realities about location-based apps
- Ira Winkler: Is Google evil? The jury is out
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts