I am an information security professional by day and very unsure of the notion and gumption employed by upper level managers being overly detached from what information security is really about.
Surprisingly enough there is the element of human nature where people almost swear power does not corrupt or change and that should they be put in charge they will do the exact opposite to what the current person in charge is doing (such as emphasizing or concentrating on the more relevant or technical aspects of the issues and how to prevent them).
Sadly this is not the case as can be seen from all the real life examples I have witnessed and I am sure you are aware of too.
So this then leads me to the joke. Pardon me if this is more an inside joke, I just cant help it as all i hear are repeats. It almost comes across as a broken record. Has anyone come across this lately? "Awareness training"!
Empower the user and train them properly in order to avoid situations where they are taken advantage of or to be able to spot attacks and or scams.
How much repetition will it take? When will we call it quits seriously? My take on awareness is that this is an awesome delivery means as long as you can get it to work. Users will only take an interest in awareness training if there is something in it for them and I am not talking about the salary they get paid.
Incentives work only to an extent as this does not stop a user from clicking on the link to watch a funny video on Facebook displayed within their news feed (this incidentally leading to a click-jacking attack etc.).
Why do we not look at resolving things a little differently by either trying a new approach, merging the separate aspects into one giant ball in order to disseminate these goals properly with a slightly better likelihood of success?
This requires thinking a little outside our confines .....
Ding! Light bulb moment:
How about the radical idea (very old) of all web browsing traffic going through a virtual machine where session data and traffic is only kept to in a confined space i.e. within the virtual machines only? This would provide a level of security as these virtual machines could be reverted to the earlier snapshot after every use or within specified intervals.
In addition, we could easily have the traffic monitored and or filtered in order to know what sort of traffic our users are generating as well as being aware of any unwanted traffic etc..
Another controversial approach ...
How about making users responsible for the equipment entrusted to them? If we implemented some level or form of accountability, this might be a good thing as it then means users will be more concerned about what they use their corporate equipment for as they will be held personally responsible for this.
We will also need to device a way of implementing this as simply detailing this within a Company IS policy does not work. Usually only a handful of employees read the first page before they get bored!
This has stemmed from the numerous conversations i have had with other professionals as mentioned before and the repeating theme makes me scratch my head in awe as I think there are simpler solutions to these problems.
I am in no way condoning taking away the liberties of users or becoming a tyrant or dictator with this however as is defined and also stated in many articles i have read past and present, the use of the internet is a privilege and should be treated as such. Using corporate equipment to access the internet should also be seen as a privilege as this is usually during the work hours where one is supposed to contribute to productivity/revenue generation.
Always remember with great power comes great responsibility.
I guess this entire point I am trying to make is that we should implement some common sense with the approach to resolving these issues and stop trying old methods which clearly are not having the impact we anticipate.
We need a culture change coupled with a lot of common sense and accountability.