I had planned out a couple posts. One was going to explain in no unclear terms that user training is broken and won’t help. The follow-up was going to be the opposite in how technology will not ever protect us without end-user training.
I decided to put that on hold and maybe not even post it, but I did want to blab about something else I see in the IT and security communities. I see a lot of very polar opinions on how things should be. You have user training versus technological controls. ROI vs insurance. Business skills vs technical skills. Full-disclosure vs alternatives in either direction. Black hat vs white hat. Perimeter is dead vs perimeter is impoant.
The bottomline? All of these approaches are correct and all should be practiced to some extent. Just like all those diet fads, stick solely to one for a long period of time and you’ll have new problems. But if you took the basic concepts from many, you can end up with a very effective approach.
There is a place for each extreme, but they are all necessary and need to be balanced. There are also people who, for instance, can be mired completely in the technical realms and leave the businesspeak to their bosses and not only be successful personally, but help drive their company to success. The balance doesn’t have to be in each individual, but a department can achieve balance with imbalanced parts. Then again, even imbalance will work depending on the corporate culture, needs, and outside influences.