Andy ITGuy is a proponent of training, which is awesome and wholly commendable. I totally understand that, but I’m feeling picky today. Maybe today is Picky Wednesday, I dunno. But I noticed Andy posted this (he’s going to love that I’m pulling out an anecdote and unfairly focusing on it, hehe) and I want to make a point too.

My favorite quote from the post is this,

“My dear friend, education is the key..not more locks and bolts.”

The same holds true for Information Security. If our users don’t know how to spot and handle phishers then we might as well just put up an open WI-FI to our network and post it in the paper.

I’m not sure I would say that user education is key and that without it we may as well put up open wifi. I think user education is very important, but it won’t solve IT security any more than education has solved drug use, teen pregnancy, or STDs. I won’t be able to dispense with logging utilities or AV or LUA or spam scrubbing just because I have a good training regimen.

So yes, that’s my point for the day. Security by technology and security by education need to be balanced just as much as security is balanced against usability. In the end, however, I’ll take slightly more technology than education only because that is the one that can be auditable and has hard-drawn lines that I can trust (that and I likely have more budget right now than Andy might have…and that does matter).