Harry Waldron - Corporate Security News

I respectfully disagree with this article, as information security is a responsibility of all employees in an organization.  Ultimately, security is a joint effort by IT and all business professionals in the company.

Article:  Security expert: User education is pointless
http://news.zdnet.com/2100-1009_22-6125213.html

QUOTE: In Gorling's view, the answer to those questions is yes. In corporations in particular the security task belongs with IT departments, not users, he argued. Just as accounting departments deal with financial statements and expense reports, IT departments deal with computer security, he said. Users should worry about their jobs, not security, he said.

COMMENTS:  When I used to perform security awareness in our company (emails, website, newsletter, formal presentations, etc), I saw it making a difference.  The keys to success for successful user education include:

• Keep it simple, using non-technical language and simplified concepts where possible
• Make it interesting (e.g., war stories)
• Give them advice that helps them at home as well (e.g., privacy protection, avoidance concepts, etc)
• Keep the program updated for emerging threats (e.g., phishing, fraud, e-commerce protection, etc)
• Have an Intranet website as a referential resource 
• Security goes beyond just malware protection (e.g., business travelers with laptops, the need to protect reports or data in an entrusted capacity, etc.) 

I agree that we need the best technological controls to complement the protective process.  Still, each person in an organization logically has to "think security".  I've used a slide with simply SEC-U-R-IT-Y on it to illustrate "you are it" when it comes to safeguarding the companies security and your own at home.