• United States



Training: Effective security requires a unified approach

Feb 01, 20073 mins
Data and Information SecurityIT LeadershipPhysical Security

Today, I’d like to vent some frustration at what I see as one of the major fall-downs in businesses relating to information security.  That is, businesses are failing to adequately train their personnel.  Effective security requires a unified approach.  Appropriate technology and well written policies are absolutely critical.  But, they cannot provide the entire solution.  Studies have shown that it is the human element that is at the heart of most security incidents.  This should not come as news to anyone reading this blog.  In my experience, it is the failure to provide employees with appropriate and ongoing training that creates conditions ripe for a security incident. 

Businesses do not hesitate to spend many thousands of dollars purchasing and deploying sophisticated information security technology.  They spend similar amounts developing security policies, information handling requirements, and related documentation (soon to be a subject of a future rant in this blog regarding the quality and understandability of these types of documents).  But, when it comes to personnel training, we see a minimal attempt to provide basic training at the time of hire and a lunch room poster or two aimed at “security awareness.”  Such an approach is grossly inadequate.  This is not to say some businesses aren’t on top of the training issue, but many clearly fall short.

Proper training of personnel has several advantages.  Foremost among them, the reduction of incidents and the ability of the company to demonstrate it has acted diligently to protect its information and, if applicable, the information of its customers.  This last point bears a further comment. 

In the event of a compromise of security, one of the key questions courts and regulators, like the FTC, will ask is “did the business do what is reasonable under the circumstances to secure its information?”  We all know it is generally impossible to absolutely secure information.  Breaches of even the most secure systems can occur.  Just ask the government.  The question, however, is whether the business that has experienced the breach did everything that was reasonable under the circumstances to prevent the breach.  Obviously, what is “reasonable” will change over time.  But, the constants are (1) appropriate technology, (2) relevant policies, and (3) proper education of personnel.  Businesses that address the first two constants, but not the third are opening themselves up to potential claims they failed to act reasonably in protecting their information.

To many businesses, the idea of ongoing training about current and future security issues is just not on their radar screen.  This must change.  Money must be allocated to ensure this single greatest source of security compromises is addressed.  I have seen this work in businesses that have implemented more rigorous training for their personnel.  They have been able to achieve far greater security and have significantly reduced incidents.  Other businesses should follow suit.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author