Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. To learn more about Mike's expertise or to read about hot topics in security, subscribe to his blog at http://blog.securityincite.com, or reach him via email at mike.rothman (at) securityincite (dot) com.
Information security awareness training is one of the more controversial security practices. A large number of security professionals believe that training users is pointless and ultimately has no impact on the security of the IT environment. These folks point to the number of issues that continue to originate from users who are repeatedly warned -- and promptly forget -- not to open attachments from unknown parties or click on links in random emails.
These security folks get frustrated because they have come face-to-face with the 80/20 rule (that is, 20% of the users tend to require 80% of the clean-up). The reality is that 20% of the user community will not get it, no matter how much training they have. Just accept that as fact, continue to clean up the mess, and move on. I'd rather you help your customers focus on the 80% of users that will be receptive to training, because that's 80% of the user population your customer won't need to worry about anymore.
Even if organizations have the best intentions of offering meaningful information security awareness training, however, their efforts typically fall short. Why? Because the security professionals responsible for training often get busy or are pulled away in favor of other priorities. They also have a hard time keeping training materials fresh and interesting. After all, they're security professionals, not trainers.
Do you smell an opportunity? I sure do. As a value-added reseller (VAR), you're already in the training business. You train security professionals on the products you sell, and on other basic or advanced security skills. You already have training facilities, and you likely have access to content. You are 90% of the way there already.
The other 10% is about changing your mindset. Training end users is a bit different than teaching an administrator to configure their PIX. End users can be technologically unsophisticated, may have trouble understanding security and, in many cases, may not feel that your training is a good use of their time. You can imagine that, especially when you are used to having students that pay a lot of money to attend your training, it might be challenging to teach students who are fulfilling a company requirement. Now you know what your high school English teacher felt like. The good news is that only about 20% will be truly unwilling to engage in training.
So why bother? Basically it's all about volumes. For example, you can conceivably train administrators once every couple years, but organizations -- especially large ones -- are hiring new employees every day, and they all need training.
Of course, you aren't going to get $1000 a day for training end users, but you don't need to. By selling annual training retainers, you should be able to keep busy and make just as much in aggregate. In addition, you'll use fewer experienced instructors for these user training classes. After all, there is no need to have a Check Point jockey teaching users why they shouldn't be clicking on random attachments.
There's also the additional opportunity to offer online training. In fact, a few vendors are dipping their toes in the water by offering online training options for user awareness -- most notably Symantec. Existing Symantec partners can offer that service quickly and easily without having to make any investment at all.
In many cases, end users are the line of last defense, and a well trained user community can keep your customers safer than the most sophisticated technical defenses. But your customers need structure and content to get their programs off the ground. Opportunity is knocking, folks. Answer the door.
Have a suggestion for a topic? Feel free to email SearchSecurityChannel.com and let us know what's on your mind.