Talk or Action: How to Allocate Sparse Resources
It is not hard to find a security department that is overworked and
understaffed. There are, however, some which are well funded and
staffed appropriately. What separates the two? Well, that is a question
I am not going to answer here. In any well managed organization, money
and respect goes towards things that make the business more productive.
Giving training sessions, whatever, where all the security
person does is talk about the big bad internet and all the things that
could happen (phishing, malware, oh my!!) is not a security program. It is a
waste of people's time and company resources unless coupled with the technical
controls to enable proactive security.
That might sound insane to non-security professionals. But take a minute and think about it
using this analogy. Suppose you are walking down the street in a rough
neighborhood, and a person who claims to be a security professional
says "You will get robbed here, it is a dangerous street." Does that
actually do you any good?
Now take the same example but this time the security professional says,
"This is a dangerous street, I will walk with you, we might get
robbed, but I have a plan to recover."
If I had the choice of which security professional to follow I would
chose the later.
Now, let's get back to phishing. Do we know what it looks like on a
network level? Yes (or at least anyone who is halfway competent does).
Can we take that knowledge and know immediately that it occurred? Yes
(again competence). Is it even possible to interrupt the attack in the
middle? Yes (although, going back to the street analogy, losing, and
knowing of the loss of one wallet is better than getting stabbed because
So, then, why talk about phishing when we can do something about it?
Put another way, which security department is going to get a higher
budget? The one that tries to educate the problem away or the one that
innovates and solves the problem?