Andy posted what is maybe the biggest question (and toughest) we should consistently ask ourselves in this field: What is the biggest problem facing security professionals today? Andy answered user awareness.
I’m not so sure I could so quickly answer just one thing as our biggest problem. If I were to tell a VP where to best spend his money, I think I would answer either technology to protect the users and data, or spend money on educating management, not all users. Managers need to lead, and unless managers are aware of the problems, users aren’t really going to give much more of a shit. Companies are economic entities, and users are entities that answer to their managers. Pressure can be applied by educating stakeholders such that they hold management accountable for security. But we all know that devolves into checklists, grades, certifications, and basically the representation (right or made up) of security…which may or may not be the real state of security.
An example of technology mitigating the user problem is in laptop encryption. Users can continue to be stupid and lose laptops because they leave them in plain sight in their cars and put data they shouldn’t on them, but if they are encrypted (technology), that user mistake is dramatically mitigated. Of course, this may perpetuate the cycle of relying on technology and ignoring user education…but that’s at least where I’d perhaps put my money first. Teach people to ignore spam and phishing and detect it and report it, or implement spam filtering good enough to minimize their exposure to those decisions, along with HIPS/detection to stop those fewer instances where they do slip through? Relying on users would keep me up at night, personally.
Complexity of our environments and technology advancements are also a huge problem right now. Environments keep growing outward and more varied. They’re also just plain growing. Trying to create an infrastructure today that can be properly and securely grown for the next 10, 5, or even 3 years is highly difficult. Our work environments creep and grow, and we don’t typically have the luxury to start over and build the house correctly to today’s threats.
For all that rambling above, I don’t mean to diss on users as being stupid and a lost cause. I do realize there are benefits to user education and I by no means would prevent user education or speak up against it. User education is truly part of a blended approach to security, and users are just another required layer to be protected and education, just like in the spam example above. I’m somewhat playing devil’s advocate, but I honestly don’t know if I would say user education is our biggest challenge. I think it is just far more complicated than that.
Update: After some more thought this evening and some time playing LEGO Star Wars (awesome!), I think one of the biggest problems we face is making sure our peers (and ourselvess) give management the best bang for the buck they can get, and give accurate and honest and truthful assessments and advice. Management needs our help to understand the reality of their state of security and how to properly tackle it. They also need us to keep hounding them so they don’t become complacent or think the task is done. So yes, in a way, education is necessary, just not necessarily user-centric as much as tackling the user base from the top. This might include heavy training for IT folks as well; those of us who are laying the blocks and doing the securing and growing and actual work. Even if management is on board, they can only spin their wheels if their people are not getting it.