I was reading a Tim Wilson article at Dark Reading this morning in which he asked the question, “So are users hopeless?  Are they inherently brainless and/or evil?”  My first reaction to the question was raucous laughter.  When I finally regained my senses, I read the rest of the article in which Wilson makes a lot of sense.

As a Security director, I have days when I believe the users are all out to violate as many security policies as they can, either intentionally or because they are brain dead.  But this attitude isn’t helpful.  I agree with Wilson that most end users are intelligent individuals who want to do the right thing.  Keeping that in mind, helping users help themselves is a key element in any security program.

For years I’ve been a proponent of user education as a first step.  If there is chaos in the halls of security compliance, then part of the blame usually lies with the lack of effectiveness of an organization’s security awareness efforts.   This is always the first step, but it isn’t enough.

Employees will always make mistakes.  Yes, they’re human beings not robots.  So there are steps security professionals must take to mitigate the impact of those mistakes.  Content monitoring for data transfers, locking down the desktop, and Internet access controls are three good places to start.  Not only will this help stop the bleeding from an accidental incident, it will also help minimize the probability of malicious activities.

Wilson does finish his article with the assertion that end users are hopeless.  OK.  Maybe.  But IT security shouldn’t be.