Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to SearchSecurityChannel.com you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of SearchSecurityChannel.com is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. To learn more about Mike's expertise or to read about hot topics in security, subscribe to his blog at http://blog.securityincite.com, or reach him via email at mike.rothman (at) securityincite (dot) com. Information security awareness training is one of the more controversial security practices. A large number of security professionals believe that training users is pointless and ultimately has no impact on the security of the IT environment. These folks point to the number of issues that continue to originate from users who are repeatedly warned -- and promptly forget -- not to open attachments from unknown parties or click on links in random emails.
These security folks get frustrated because they have come face-to-face with the 80/20 rule (that is, 20% of the users tend to require 80% of the clean-up). The reality is that 20% of the user community will not get it, no matter how much training they have. Just accept that as fact, continue to clean up the mess, and move on. I'd rather you help your customers focus on the 80% of users that will be receptive to training, because that's 80% of the user population your customer won't need to worry about anymore.
Even if organizations have the best intentions of offering meaningful information security awareness training, however, their efforts typically fall short. Why? Because the security professionals responsible for training often get busy or are pulled away in favor of other priorities. They also have a hard time keeping training materials fresh and interesting. After all, they're security professionals, not trainers.
Do you smell an opportunity? I sure do. As a value-added reseller (VAR), you're already in the training business. You train security professionals on the products you sell, and on other basic or advanced security skills. You already have training facilities, and you likely have access to content. You are 90% of the way there already.
The other 10% is about changing your mindset. Training end users is a bit different than teaching an administrator to configure their PIX. End users can be technologically unsophisticated, may have trouble understanding security and, in many cases, may not feel that your training is a good use of their time. You can imagine that, especially when you are used to having students that pay a lot of money to attend your training, it might be challenging to teach students who are fulfilling a company requirement. Now you know what your high school English teacher felt like. The good news is that only about 20% will be truly unwilling to engage in training.
So why bother? Basically it's all about volumes. For example, you can conceivably train administrators once every couple years, but organizations -- especially large ones -- are hiring new employees every day, and they all need training.
Of course, you aren't going to get $1000 a day for training end users, but you don't need to. By selling annual training retainers, you should be able to keep busy and make just as much in aggregate. In addition, you'll use fewer experienced instructors for these user training classes. After all, there is no need to have a Check Point jockey teaching users why they shouldn't be clicking on random attachments.
There's also the additional opportunity to offer online training. In fact, a few vendors are dipping their toes in the water by offering online training options for user awareness -- most notably Symantec. Existing Symantec partners can offer that service quickly and easily without having to make any investment at all.
In many cases, end users are the line of last defense, and a well trained user community can keep your customers safer than the most sophisticated technical defenses. But your customers need structure and content to get their programs off the ground. Opportunity is knocking, folks. Answer the door.
Have a suggestion for a topic? Feel free to email SearchSecurityChannel.com and let us know what's on your mind.
This was first published in April 2007