Despite millions upon millions of dollars spent on network security infrastructure significant data breaches continue to occur unabated. When I'm watching football (or any sport for that matter) work is normally the furthest thing from my mind. However, while watching a game recently, I couldn't help but think about that introductory statement. As an analogy, football explains why security awareness programs are absolutely critical for reducing the severity and frequency of security incidents. By breaking the game down into basics, we can further explore this parallel.The football - the corporate crown jewels. This can include anything from intellectual property, personally identifiable information, legal documents, sensitive financial information, and really any data that provides tangible value to the business. Quarterback - the enabler (the IT department). In football, the QB is responsible for getting the ball to the right receivers in a timely and safe fashion. In the business world, the core mandate of IT security is to securely and safely get the right information to the right people at the right time. I am not oblivious that IT professionals may not be paid like star quarterbacks (I have a dearth of zeros in my bank book to prove it) but the comparison is worth noting. Wide Receivers/Running Backs - the various business units that run with the information, data, and systems provided by IT in order to execute and carry out key strategic projects that promote business value. Offensive Linemen - the personnel and security systems (such as firewalls, intrusion detection/prevention systems, corporate antivirus suites, identity access controls, spam/phishing filtering, the list goes on) designed to protect the confidentiality, integrity, and availability of critical corporate data. Left Tackle - an underappreciated asset that protects the quarterback's (or in our case IT security's) blind spot. All corporate employees are custodians of the company's most valued data. They need to be acutely aware of the dangers and threats that can lead to the exposure of data and subsequent data integrity issues. Employees are uniquely positioned in areas where IT defences do not always converge - an area known as the security blind side. If a defensive player (persistent external threat) successfully evades the offensive line (IT defenses), it is the duty of the left tackle (the employee workforce) to prevent him from reaching the quarterback and the football (corporate data). In order to be effective at this task; however, employees need to be provided with the necessary education and toolset.
Technical solutions will only get you so far
Current security protections have to deal with constant pass rushes, blitzes, changing schemes, and the continuous onslaught and bombardment of corporate networks by cyber criminals. No matter how much we spend on the latest and greatest security systems, the security blind side is continually exploited and cannot be adequately protected by technology alone.
Much of the attention is devoted to deploying technological solutions and developing accompanying processes. In doing so, we are severely underestimating the importance of investing in the human component of the greater security equation. The average mid-large sized company spends upwards of $100 per employee on security mechanisms. How much money per employee is spent on training and educating the employee workforce on security awareness? For most companies it would be under a buck per employee. There are companies that spend more than that on coffee per employee! It is no surprise that in most corporate settings very little money is spent on creating and developing effective and sustainable security awareness programs.
Many fail to comprehend that the most expensive and extensive security mechanisms and devices today can be easily rendered useless by an employee replying to a phishing attempt (just ask RSA) or getting hit by a drive-by download. It was only recently, that NFL teams realized the importance of budgeting for an effective left tackle. It is time for the corporate world to do the same. By upping the investment dollars in security training for the workforce we will be giving them the tools, knowledge, and experience to prevent threats from breaking through and wreaking havoc.
Strong football teams realize that their quarterback needs to have suitable time and space in order to succeed. To protect their investments and ensure that the quarterback is able to move the ball downfield, football teams pay more for great left tackles (obviously in proportion to the asset that they are protecting). It is time to call an audible and realize that we need our fellow employees to suit up on the gridiron with us as left tackle. By spending more money and effort on developing security education and awareness amongst the employee workforce, we can drastically reduce the chance of having the security blind side exploited. This extra protection cannot come soon enough: we have had our collective bell rung one too many times.
Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.