I recently participated in a briefing with Cisco where Cisco’s David Bump explained to me the idea behind the Cisco Learning System. The Cisco Learning System works to fill the IT talent gap by partnering with both public and private partners to help increase the supply of qualified professionals.
David caught my attention when he explained that the most important part of their approach is to empower users to take full advantage of their systems. He qualified this with the example that while you could probably use their equipment, in particular their Intrusion Prevention System, or IPS, out of the box, you wouldn’t be taking full advantage of the power in the device.
This struck me as a very interesting take on the user education system.
As part of my day job, I work with IPS systems. In fact, I have evaluated, implemented and operated a few solutions from different vendors. One vendor in particular collects comprehensive statistics anonymously (from their opt in system) and publishes them for review on their site. They show that 60-70% of all of their end users use their IPS filters on the ‘Recommended’ settings, meaning without any modification from the vendor-produced filters.
In Cisco’s view, this would suggest that users of the other Vendor systems aren’t taking full advantage of their appliances.
So who is right?
We’ve all heard it, that “the user” doesn’t know what they’re doing, that the less power we give them, the better. In that case, wouldn’t it make more sense for the company with a full team designing and analyzing filters and threats to develop and maintain the IPS in a User’s network than for the User itself?
After all, if a device ships with the setting in place to auto-apply updates from the vendor, then the vendor can have significant control over the client network. Add filters when a new threat pops up, and in a few months, once the threat dies down, just recommend the disabling of that filter since the user no longer needs it. Minimal involvement on the user’s part, and they’re likely protected better than they could have done on their own.
But is that more beneficial to the user than education?
I point towards Michael’s Awareness That Works™. What if, instead of assuming the User is a lesser life form that has no idea how to properly secure their network, we assume that they’re just uninformed? You don’t call someone an idiot when they can’t spell a word or speak your language; you educate them instead. Why should we treat Network Security any different? We in the industry use acronyms, tools, and words that are often referred to as another language. Heck, we are proud when we say that we think in a way contrary to the average user. But how is that different than if I were to say I was better than a German, since I speak English?
It seems Cisco is on the right track, maybe we could learn something from their ideas.
What do you think? How do we strike the balance between providing solutions that help get the job done while educating people to really use the tools to their maximum advantage?
No related posts.
About Joseph Sokoly
I would agree with the observation that many users of devices (themselves IT professionals who scorn ‘real’ users) aren’t using them to their fullest; strikingly often with default settings. I think this is part of what is still driving Manager Security Services. (In some part, it may even drive Cisco’s entire range of certification programs where they certify valuable technical people to fill those roles.)
I’d even agree that this is in part due to ignorance by the users. But there’s 4 things I think work against this…and I’ll avoid the cost of manhours for now.
a. Time. Yeah, we’ve all heard it. Time is a luxury in IT. I’d love if I had time to tinker and get to know the devices in my realm better. Sadly, most IT have their biggest learning spurts only while troubleshooting the latest fire.
b. Desire. Especially in security as opposed to a more general IT role, if someone doesn’t have the desire to learn more about security devices and security in general, no amount of hand-holding or throat-stuffing training will make too much impact. I’d also factor into “desire” the tendency for IT to be risk-averse, especially with systems that may impact operations if you poke them with a stick too much. Poke an IPS with a stick for a while, bring down a highly visible system, and you likely have less desire to do poking in the future.
c. Vendor bloat. Some tools are, to put it nicely, just too chock full of knobs, buttons, menus, variables, and ways to make plugins. This often comes from a vendor who wants to increase their market as much as possible by putting in every feature that any segment may want. At the expense of making a product that any one given customer will only use 20% of. At worse, it overwhelms the customer into just accepting those defaults and moving on. (And it should be relaxed enough that any customer can just plug it in and it works, at the cost of tighter security.)
Acquisitions don’t help in this regard either (yes you McAfee and Symantec; those acquisitions make your products harder to use, more complicated, and more fragile…).
On a related note, security just as a function inside a business (cost, security vs convenience, risk…) is becoming more fascinating to me than just the technical defender vs attacker mode. Before even doing any security work, there is this huge struggle to actually get an organization to start!