On Tuesday, April 26, Symantec hosted a live Twitter chat centered around our latest Internet Security Threat Report and the changing threat landscape. We’d like to extend a big thank you to those who participated and joined the conversation.
Using the #SecChat hash tag in Twitter, we were able to guide a lively discussion around what’s top of mind with regard to the current security threat landscape for those of you in the security industry.
One aspect of the discussion focused on end-user security education and its importance, while others questioned whether dollars spent toward user education made any difference at all. We certainly heard all sides to the story. If there is anything people agree on it’s that the “user is like water, following the path of least resistance to their end goal,” in the words of one tweeter.
Those in support of end-user security education felt that, if it is done well, user education can make a measurable difference in an organization’s overall security posture. “We throw a ton of money at tools to try to solve what is basically user education issues,” said one tweeter. Another felt “employee education is often done really poorly and could be solved if you put $100,000 into security education.” Another tweeted and said “I’d be thrilled if we could teach users not to click on attachments.”
Others felt a hybrid approach is needed with a combination of education and security technologies. “If education is done well it can help. We still need to improve technology: people aren't perfect.”
On the other side of the aisle, we heard several say security education just doesn’t work, and it’s not nearly as fun. “It’s just really sexy to unbox a new IPS, it’s not as sexy to buy some pizzas and talk to your users about staying safe,” said one user. Another tweeted, “when was the last time you saw a security awareness video/program that didn't make you cringe?” This group favored technology over education. “I think the money should be put into active protection, not security awareness training.” Another tweeted, “weirdly, risk assessment done before and after employee education often yield no changes.” Another felt that “an employer not only needs incentive to educate, but likely wants measurable ROI too; two hurdles not always easy to overcome.”
As you can see, it was a great discussion! As a company, we spend a lot of time and resources talking with customers and industry influencers to help us provide the solutions that meet real-life needs. We value these interactions and hope those who attended also took something meaningful from the conversation.
We plan to do more of these in the future, and we welcome additional participation. You can participate in the ongoing industry discussion by following the #SecChat hash tag on Twitter.