We all know that every­one needs to do their part to keep their orga­ni­za­tion being pwned. Yet secu­ri­ty aware­ness train­ing and anti-phish­ing exer­cis­es don’t seem to help very much. Why is that when there’s no short­age of ven­dors to sell them to us?

The $47 mil­lion recent­ly stolen from Ubiq­ui­ti Net­works was a result of social engi­neer­ing via email com­bined with weak inter­nal pay­ment sys­tem con­trols. How much high­er do the stakes have to get?

We’re in this sit­u­a­tion large­ly because on the job peo­ple do things their super­vi­sors ask them to do. So if super­vi­sors don’t place a high val­ue on get­ting some­thing from the aware­ness train­ing and don’t prompt dif­fi­cult con­ver­sa­tions when some­one falls for a phish­ing lure, your org is doomed.

So, rather than define it as an IT prob­lem, user secu­ri­ty educ­tion and aware­ness should be defined as a man­age­ment prob­lem.

If you are respon­si­ble for get­ting your net­work end­point users to up their secu­ri­ty game, the best way for­ward is to recruit all the super­vi­sors across your orga­ni­za­tion to sup­port your train­ing pro­grams. Work through your man­ag­er to do this.

Hav­ing super­vi­sors on your side will make all the dif­fer­ence when a dif­fi­cult con­ver­sa­tion with a work­er must hap­pen because he will not sup­port the InfoS­ec pro­gram. After all, a care­less user isn’t like­ly to take a ran­dom IT per­son seri­ous­ly, are they?