Re: Certified security awareness

[Blue Boar <BlueBoar () thievco com>]

Wait, a cert that requires EVERYONE to get it and not just the security
people? Brilliant! They'll make millions.

                                        BB

On 1/31/12 11:45 AM, Rob, grandpa of Ryan, Trevor, Devon & Hannah wrote:
> http://www.infosecurity-magazine.com/view/23571/a-call-for-a-new-standard-in-
> infosec-training-and-awareness/
>
> " ... the way to do this is via a new infosecurity standard that solely focuses on 
> training and awareness and is delivered in the work environment"
>
> Now, I'm all for security awareness.  I'm all for *more* security awareness.  I'm all 
> for *better* security awareness.  I'm all for infosec departments to actually *try* 
> security awareness (since they say often say, "well, if it was gonna have worked, it 
> woulda worked by now" and never try it).
>
> But, come on.  A new "standard"?
>
> As the man[1] said, the wonderful thing about computer "standards" is that there 
> are so many to choose from.
>
> What are we going to certify?  Users?  "Sorry, you have been found to be too 
> stupid to use a computer at work.  You are hereby issued this non-jailbroken iPad."
>
> No, undoubtedly he thinks we are going to "certify" the awareness materials 
> themselves.  Good luck with that.
>
> I've been a teacher for a lot of years.  I've also been a book reviewer for a lot of 
> years.  And I've published books.  Trust me on this: a variant of Gresham's Law is 
> very active in the textbook and educational materials field.  Bad textbooks drive 
> out good.  As a matter of fact, it's even closer to Gresham: money drives out good 
> textbooks and materials.  Publishers know there is a lot of money to be made in 
> textbooks and training materials.  Publishers with a lot of money are going to use 
> that money to advertise, create "exclusive" contracts, and otehrwise ensure that 
> they have the biggest share of the market.  The easiest way to do that is to publish 
> as many titles as you can, as cheaply as you can.  "Cheaply" means you use 
> contract writers, who can turn out 2-300 pages on anything, whether they know 
> about it or not.
>
> So, do you really think that, if someone starts making noise about a security 
> awareness standard, the publishers won't make absolutely certain that they've got 
> control of the certification process?  That if someone comes up with an 
> independent standard that they can withstand the financial pressures that large 
> publishers can bring to bear?  That if someone creates an independent cert, and 
> firmly holds to principles and standards, that the publishers won't just create a 
> competing cert, and advertise it much more than the independent cert can ever 
> hope to?
>
> After all, none of us can possibly think of any lousy security product with a lot of 
> money behind it that can command a larger market share than a good, but 
> independent, product, now can we?
>
>
> [1] Well, maybe it was Andrew Tanenbaum, but maybe it was Grace Hopper.  Or 
> Patricia Seybold.  Or Ken Olsen.
>
> ======================  (quote inserted randomly by Pegasus Mailer)
> rslade () vcn bc ca     slade () victoria tc ca     rslade () computercrime org
> Been working on my people skills. I can throw them pretty far now
>          https://twitter.com/robotinthewild/status/34707914191011840
> victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
> http://blogs.securiteam.com/index.php/archives/author/p1/
> http://twitter.com/rslade
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.