This week I was asked nicely by our marketing folks if I could write something that could link to our presence at Infosecurity Europe (We're at stand K60, come visit us, there's probably free stuff, and definitely interesting people - there, y'happy now marketeers? ;) ).
Anyway, I thought i'd do a piece on new Infosec exhibitors I planned to visit. Sadly, I didn't find a lot to get me excited on my trawl through the exhibitor list! Don't get me wrong, I'm sure there's some great stands there (including ours, K60, did I mention it?), but the list just about failed to get a hoary old 10-year-infosec-veteran like me engaged.
What I did see though, was a couple of vendors offering "end user training" - particularly Bob's Business (extra points for being from Yorkshire), and Phish.me. Now, there are those who suggest that this sort of training isn't that wonderful an idea - including infosec superhero Bruce Schneier writing over at Dark Reading. I kinda agree with Bruce, especially with regard to the value of implementing training measures "server side", and increasing our resilience to inevitable failure, but I think maybe he paints slightly too dark a picture of end-user training.
I know we fail with a lot of our efforts to change user behaviour, but eventually, some of it sticks. I've written in the past about how tough it is to change people's mindset: I had to remind my dad to wear his seatbelt pretty recently, and campaigns to encourage their use have been ongoing 40 years (plus laws to that effect, plus obvious downside of going un-belted), but younger folk seem to be much more likely to belt up - something has caused the message to "stick". Eventually.
In the tech world, things seem to happen more rapidly - just around the office here we've had 2 factor authentication turned on by default for a year or so on our email. When it was first turned on, people moaned. It was hard to use. It was inconvenient. Now, it's kind of expected. Indeed, when we launched a new system that couldn't SSO, people asked: "Where's the 2FA?". Now, these were non-techies, but they were people working in the security business... but I see that as a glimmer of hope. Perhaps in this more fast-moving world the "buckle up" message will sink in within a generation?
Would love to hear from people in "the real world", where their users really don't have an interest in IT security. Have you been able to train out bad habits? Is Bruce right and end-user training won't help?
Finally... since we're here, and you've gotten this far, here's a few people I'll be visiting at Infosec anyway - Vuln management folks RandomStorm (Yorkshire connection, plus a few ex-Smoothwallers there), SIEM Maestros Splunk (I just love graphs... I think I caught the bug from one of our developers...), SSH (Which self respecting Linux-botherer would miss it?), Bunker Secure Hosting (you had me at "Bunker") and, last but not least Vipre (the now-divorced-from-GFI anti-malware used in Smoothie). Hey maybe it won't be so dull after all... visit K60. Go on. Please.