The panelists seem not to believe that users are trainable, though. For them, users are the great unwashed, and they would rather not sully themselves by associating with them. This was Brown on the topic: "It's a mistake to think that users can exercise judgment." Actually, users can exercise judgment. It's technology that's incapable of doing that.
Schneier took that hostility to users up a notch by proclaiming that those who exhibit poor security behavior should be fired. He seriously proposed that users who piggyback or use a bad password should be shown the door. If this idea were adopted, there would be a whole lot of firing going on -- especially if companies make no effort to educate those users about security. And users at all levels make these mistakes, from lowly interns to CEOs. Unless a company is prepared to fire its CEO for sharing his password with his secretary, it shouldn't be firing interns who hold the door open for another employee.
Oddly, it was "Fire Everybody" Schneier who also asked, "Do we need to train everyone to be a security expert?" It was yet another comment that betrayed a basic misunderstanding of what security awareness training actually is. The aim is not to turn users into security experts, but to train them on the basics of security and so help them make informed decisions. Since Schneier made a point of comparing security awareness training to driver's training, I have to ask: Does driver's training try to make students professional race car drivers, or simply informed basic drivers?
I suppose that if you have an us-vs.-them attitude toward users, you can't even recognize one of the primary benefits of security awareness training: It can be an opportunity to form a connection between the security department and the user population. Security awareness puts a face on the security team and teaches users to whom to report incidents or suspicious occurrences. Too often the security department is seen as the Department of No, as Tipton pointed out, but security awareness is an opportunity to counter this. And it might also help some arrogant security professionals recognize that users aren't too stupid to make intelligent judgments.
I do believe that there was arrogance on display. Tim Wilson, the moderator, refused to allow questions from the audience, though that is the norm during RSA sessions. That decision enraged the audience, which began to yell at the panelists when denied the opportunity to speak.
Interestingly, in the end, this non-debate debate had another effect on the audience that I would not have expected. They were asked both at the beginning and the conclusion of the session whether they thought security awareness was worthwhile. The first time they were asked, a very small number of people raised their hands. The second time, after the debate, the vast majority raised their hands. Who would have expected a stacked debate to have such an outcome?
Sign up for CIO Asia eNewsletters.