Certified security awareness

A vendor speaking at a conference (is there any other kind of presentation at conferences these days?) has made a call for a new standard for information security awareness training.

” … the way to do this is via a new infosecurity standard that solely focuses on training and awareness and is delivered in the work environment”

Now, I’m all for security awareness.  I’m all for more security awareness.  I’m all for better security awareness.  I’m all for infosec departments to actually TRY security awareness (since they say often say, “well, if it was gonna have worked, it woulda worked by now” and never try it).

But, come on.  A new “standard”?

As the man[1] said, the wonderful thing about computer “standards” is that there are so many to choose from.

What are we going to certify?  Users?  “Sorry, you have been found to be too stupid to use a computer at work.  You are hereby issued this non-jailbroken iPad.”

No, undoubtedly he thinks we are going to “certify” the awareness materials themselves.  Good luck with that.

I’ve been a teacher for a lot of years.  I’ve also been a book reviewer for a lot of years.  And I’ve published books.  Trust me on this: a variant of Gresham’s Law is very active in the textbook and educational materials field.  Bad textbooks drive out good.  As a matter of fact, it’s even closer to Gresham: money drives out good textbooks and materials.  Publishers know there is a lot of money to be made in textbooks and training materials.  Publishers with a lot of money are going to use that money to advertise, create “exclusive” contracts, and otherwise ensure that they have the biggest share of the market.  The easiest way to do that is to publish as many titles as you can, as cheaply as you can.  “Cheaply” means you use contract writers, who can turn out 2-300 pages on anything, whether they know about it or not.

So, do you really think that, if someone starts making noise about a security awareness standard, the publishers won’t make absolutely certain that they’ve got control of the certification process?  That if someone comes up with an independent standard that they can withstand the financial pressures that large publishers can bring to bear?  That if someone creates an independent cert, and firmly holds to principles and standards, that the publishers won’t just create a competing cert, and advertise it much more than the independent cert can ever hope to?

After all, none of us can possibly think of any lousy security product with a lot of money behind it that can command a larger market share than a good, but independent, product, now can we?

[1] Well, maybe it was Andrew Tanenbaum, but maybe it was Grace Hopper.  Or Patricia Seybold.  Or Ken Olsen.