Security Awareness Training is a Critical Requirement when Implementing a Defense in Depth Strategy

Defense in Depth is a basic security principle that organizations should be using to defend their data, their users, and their employees. A single layer of security will never stop every attack, so Defense in Depth is implemented when multiple layers of security are created. If one layer of security is breached, there are more layers present that will delay and defend against an attacker. Implementing this principle mitigates the risk of a sensitive data breach occurring. According to the National Security Agency’s “Defense in Depth: A Practical Strategy for Achieving Information Assurance in Today’s Highly Networked Environments” document... “An important principle of the defense in depth strategy is that achieving Information Assurance requires a balanced focus on three primary elements: People, Technology, and Operations.” Security Awareness Training should be used to educate an organization’s staff about security best practices and common attacks in order to achieve this balance. Without a balanced focus, a weakness can be created within an organization. Unfortunately, a few well-known security professionals have publicly stated that security awareness training for an organization’s employees is a waste of resources. Recently, Dave Aitel, CEO at Immunity, has written “Security awareness training is one of the most overrated – and dangerous – aspects of security planning that any organization can use.” ...This stance is both irrational and irresponsible.

Rebuttal #1: To prove his point, Mr. Aitel states, “An employee should be able to click on any link, open any attachment and go about their jobs as they see fit, and not expose the company to a serious breach.”

Unfortunately, we are not living in a perfect world, so we must educate our staff about security. Not giving basic security awareness training to our employees concerning the danger of clicking on links or opening attachments would be just as negligent as if we told them it was acceptable to leave the front doors of our offices unlocked... or if we began leaving our keys in the ignition switch of our cars. Locking our doors and not leaving our keys in our cars is how we MITIGATE the risk of a burglary. Sending our staff to security awareness training is one of the tools we use to MITIGATE the risk of a sensitive data breach. Defense in Depth is a risk MITIGATION technique, and security awareness training is one layer of an organization’s Defense in Depth strategy.

Rebuttal #2: Mr. Aitel also writes, “Even trained employees stand no chance against a modern attacker who customizes his phishing attack against that individual. Security awareness simply cannot address this threat.” It is true that Security Awareness Training cannot prevent 100% of phishing attacks from succeeding.

However, Mr. Aitel has failed to recognize that there are many common security measures that do not address all threats and will not stop 100% of attacks... yet they are still considered part of an organization’s Defense in Depth strategy. Here are a few facts to ponder:

  • Firewalls do not stop all attacks, but we still find them valuable
  • Anti-virus software does not stop all viruses, but we still find it valuable
  • Static code analysis tools do not find all security vulnerabilities in source code, but we still find them valuable

No single layer of an organization’s defense will stop all attacks. That is why an organization must use a Defense in Depth strategy and, again, Security Awareness Training only MITIGATES the risk of a sensitive data breach. It should not be expected to stop 100% of all phishing attacks. Final Thoughts: It's difficult for organizations to protect their customers, their employees, and their sensitive data from attackers, but when well-intentioned security professionals give misleading advice, it makes it even more difficult.