More on Education for Enterprise Security

This post sponsored by the Enterprise CIO Forum and HP.

In my last post, Education – the key for Enterprise Security, I wrote about the need to educate the organization on the need to think about IT Security.

In that post, I included a photo of a door. A door that had no walls around it.

That door with no walls is a nice visual of many organizations today. We spend a lot of time and money focused on the doorways that we ignore the walls.

We put a lot of money into the technology to control access, but neglect to put money into education to make sure the walls around the doorways aren’t torn down.

And… that’s exactly what is happening in most organizations today. Groups are tearing walls down. They are doing this with Shadow IT and BYOD. They are destroying walls for a great purpose…the betterment of the organization…but they are introducing security risks without understanding the dangers.

As  I pointed to in my last post, Christian Verstraete wrote on this  post titled Keeping Cloud in mind when you look at your security where he wrote:

Pro-actively define your security strategy. Decide what an acceptable risk level is. Choose and implement tools and procedures accordingly and train, train, train your employees. Believe me, this may cost you money, but it will be a factor less than if your security is breached. Just think about the damage to your brand if you are compromised.

Emphasis mine.

We (in IT) do a good job of defining security strategy, risk and plans for dealing with security issues.. We are good that that. We have defined these things so well that we’ve defined ourselves into the position of always saying ‘no’…which is one of the main drivers for Shadow IT.

Even better than defining risks and planning to deal with risk, we are good at reacting once a risk has been identified. Most IT organizations are very very happy to tell you how quickly they’ll react to a danger that they find.  While something to be proud of, I’d rather we brag about how few times we’ve had to react. Or better yet…how pro-active we are in educating our organization on the issues of security.

How do we do this?  As I wrote in my “boogeyman” post, we need to:

…find ways to highlight the dangers of the boogeyman without actually making people think about the boogeyman.  We need to talk about the dangers of Shadow IT while educating our clients to the real dangers that exist using language they can understand.

How do we educate our users to the dangers that lurk in the shadows without boring them? How do we communicate our needs for security while being open to change and new platforms?

That’s the million dollar question…and I don’t know the answer. But I do have a few ideas on how to get the process started:

  • Communicate – the first step is to communicate with the organization. I don’t mean just ‘talking’ to them…I mean sitting down talking with them about the issues at hand. Talking with them about the importance of security and how you and your team can help with their current projects.
  • Consult – Rather than be relegated to being an operations arm, IT should get out into the organization and become a Technology Consulting organization. Using this approach, you can be proactive and help the rest of the organization select / implement technology rather than waiting for them to bring you a new ‘project’.  This will let you get in front of any potential security concerns..maybe 🙂
  • Embed – One of the most interesting ways to educate (and help) the organization is to embed members of your IT staff into other groups.  Whether this is a long term assignment or a short-term one, it helps get the IT group involved in other areas and helps to make people more aware of the services of IT. In addition, it makes the IT group more ‘human’ by getting your team members away from their desks/cubes and closer to the rest of the organization.

Those are just some thoughts…it not only helps with the educational aspects, but helps with collaboration as well.

Whats your thoughts?

This post sponsored by the Enterprise CIO Forum and HP.

Education – the key for Enterprise Security

This post sponsored by the Enterprise CIO Forum and HP.

You’ve spent years and millions of dollars on your IT Security systems, processes and people.

Your systems are as impenetrable as you, your team and your partners can make them.

Your processes are amazing.  They follow all the industry standards and your audits always come back 100% ‘secure’.

You and your team sleep easy at night knowing you’ve done everything you can to keep the boogeyman out.

But…in the blink of an eye — and against all odds it seems– you find a hacker sitting smack dab in the middle of your organization’s systems.

What happened?

Your systems were perfect.  Your processes were perfect. Its inconceivable that penetration could occur on your watch. Right?

Well…anyone thats been in the IT business for more than a few months knows that no system/process is perfect and there’s always risk. Our job is to mitigate risk. We’ll never be able to eliminate risk completely, but we can do our best to minimize it.

While we in IT spend many hours/days/weeks/years thinking and dealing with security issues, we rarely go outside our ‘realm’ to talk to the rest of the organization about the importance of security. Sure, we build a document / webpage describing how important security is but do we really educate the rest of the organization on what it really means to be ‘secure’?

Do we go out of our way to talk to everyone about the importance of security? Do we train people on the dangers of Social Engineering?   Have we educated ourselves on the dangers of security in the social world?

In today’s world where being ‘social’ is the new norm, social engineering is even more of a threat today than it ever has been.   With the ability to interact in real-time with people from all over the world, enterprise security has become even more at-risk than ever.

Imagine your company has a Facebook page.

Someone sends a message to your marketing intern that says “hey…this is Bill from the London office…I’ve lost access to the Facebook page…can you add me again as an administrator?”

Your intern, trying to be helpful…and knowing full-well who “Bill” is and that he is supposed to have access to the Facebook page, immediately responds with and adds “Bill” to the Facebook page.

Ten minutes later, the intern tries to access the Facebook page but no longer has access.   He contacts “Bill” via company email and finds out that he is on vacation for the next month.

Looks like your Facebook page just got taken over.

This is a pretty simple example but one that can easily happen. A hacker targets an organization and finds a way in….it doesn’t take much to do this.  Sure, in this example, the hacker isn’t “inside” but they do have access to a very important piece of your organization’s marketing platform.

Social engineer

Christian Verstraete recently wrote a post titled Keeping Cloud in mind when you look at your security where he wrote:

As our world is getting increasingly integrated, and as social media is used by enterprises to reach their customers and prospects, we need to train our people to ensure they are watchful for social engineering. According to Wikipedia Social engineering, in the context of security, is understood to mean the “art of manipulating people into performing actions or divulging confidential information.” While it is similar to a confidence trick or simple fraud, it is typically trickery or deception for the purpose of information gathering, fraud, or computer system access. In most cases the attacker never comes face-to-face with the victim

Emphasis mine.

Social Engineering comes in all forms. Email, Instant Message, Social Networking, Phone and in-person.  Have you ever found someone walking around the hallways of your organization without proper ID or notification of their arrival? I have….and its unsettling to know that they could have found an open computer and starting plugging away at your systems.

Security policies will always help with all approaches hackers take…if those hackers take on the IT group head-on, but rarely do hackers hit the IT systems head-on.

Jim Harris points to a a book titled Social Engineering: The Art of Human Hacking (amazon affiliate link) by Christoper Hadnagy as an example of what people are doing in the Social Engineering space.  Jim quotes Hadnagy as saying:

“While software companies are learning how to strengthen their programs,” Hadnagy explained, “hackers and malicious social engineers are turning to the weakest part of the infrastructure — the people.  The motivation is all about return on investment.  No self-respecting hacker is going to spend 100 hours to get the same results from a simple attack that takes one hour, or less.

Emphasis mine.

No amount of money or technology will stop social engineering. It can slow things down for sure. But…education will go just as far (or further) to help put the brakes on social engineering attacks.

Christian Verstraete finishes up his post by writing:

Pro-actively define your security strategy. Decide what an acceptable risk level is. Choose and implement tools and procedures accordingly and train, train, train your employees. Believe me, this may cost you money, but it will be a factor less than if your security is breached. Just think about the damage to your brand if you are compromised.

Emphasis mine.

Train your employees. Not just the IT employees…but everyone. Teach them what Social Engineering means. Teach them that just because someone asks for something, it doesn’t mean they should get it.  Finally…one of the best methods to combat Social Engineering attacks is to teach your people these three words: Trust but Verify.

That intern in the above story…he could have trusted ‘Bill” but a quick email to “Bill’s” work email address would have easily stopped the Facebook attack.

Educate everyone in the organization to Trust but Verify.  Education is expensive but should be looked at as another line-item toward securing the organization.  You’ve spent millions on the technology…spend a little bit more to educate your people.

Image Credit: the no-wall door By ghirson on Flickr

This post sponsored by the Enterprise CIO Forum and HP.

An Educated Client Is a Better Client

This is a guest post by Elmer Boutin. 

education By Sean MacEntee on flickrI read with great interest Eric’s post of January 31, 2012 entitled Do things when you should … not when you have to. I agree with what he wrote, and it really got me going about something I’ve been mulling over in my head for several weeks: An educated and knowledgeable client is better than an ignorant one – especially if you want to help them do things at the right time.

I have a day job, but I do consult with small businesses and nonprofits on a regular basis. When I started consulting, I would do most of the work and not show anyone how to do for themselves or why I did what I did.

While I understand some clients want and need someone to just do for them, I found I really liked teaching, and those to whom I took the time to explain things responded quite well. After consulting gigs where I taught the client in more of a mentoring-like setting, I found the experience exhilarating. Teaching allowed me to have a positive impact in someone else’s efforts by giving them confidence they could maneuver around marketing technologies.

Even better, those people now had the knowledge to make better and informed decisions about strategy and tactics in their online efforts. This actually makes my work a lot easier.

Recently, I was helping the owners of a restaurant in a touristy part of Texas. They wanted to get some social media going, but had no idea where to start. For our first meeting, I put together a presentation which introduced concepts and gave suggestions on where to begin their efforts. After they digested the information and were ready to proceed, we met again. This time, I sat behind them at their computer as we walked through setting up accounts on social sites, claimed their name and location on those sites and even set up “check in” discounts.

While I know it may have been overwhelming at first, they soon got the idea and by the end of the afternoon they were claiming their spaces and setting up deals without much input from me. We’ll need to meet again to go over more advanced concepts, but I knew I did well when they emailed me the next day with the great news that several customers had already checked in and took advantage of their 10% off deals. That gave me (and I’m sure them, too) a great sense of accomplishment.

By taking a teaching/mentoring approach, my clients have become smarter. They have the confidence to move forward, to work online for their business as well as they do offline. They are learning how to “adapt and overcome” to the constant change of the online landscape.

To get back to Eric’s idea: How do we get clients to do things when they should rather than when they have to? We teach them. If we’re going to expect our clients to make those timely decisions, we have to equip them to do so. We have to give them the background knowledge to be able to look at what’s going on around them and be able to ask the smart questions. We have to develop trust with them and establish that we are the experts in whatever field we consult on – and if we can do that before the first time the client calls, all the better.

“How do I do that?” you may be asking yourself. Here’s your tip on doing something when you should: If you just asked yourself that question, then follow Eric’s (and my) lead, start a web site and start sharing some of your knowledge. Go! Do it now! If you want some advice on how to do it, ask in the comments and I’ll show you where you can get information to get going. Read the post I linked to in the preceding paragraph and see how someone else established credibility in their field to the betterment of their business.

As you take on the role of coach/mentor/teacher, both you and your clients will benefit.

Elmer Boutin is a Marketing Technologist and has worked in web marketing for almost 15 years. His first experience was as a free-lancer doing web sites for local businesses such as car dealerships and an art gallery. Later, he ran an online rental property referral web site aimed at assisting military people find homes before they moved. He’s currently Webmaster at a Texas-based decorative surfaces manufacturer. You can read more articles by Elmer at

Image Credit: education By Sean MacEntee on flickr

Perceptions of Online Graduate Degrees

Two weeks ago my colleague Kevin Williams and I had the pleasure of presenting a short research survey to the Northeast Texas Consortium Summer Distance Education Conference in Tyler Texas. I mentioned this briefly in my post titled The Future of Education is Online.

The research project was undertaken to try to get a feel for how people perceive online graduate degrees.  Our initial approach to the survey was to attempt to understand and compare the perceptions of people who’ve earned graduate degrees online versus those that have earned them via the ‘traditional’ method of attending classes on campus.

During the survey (using an online survey – details below), we collected some good data from the people that had earned an online graduate degree but our survey results those that hadn’t earned a degree online was skewed and therefore discarded.  Note: We plan to redo the survey for the group of people who’ve not earned a graduate degree online.

The presentation, titled “Perceived Value and Usefulness of Online Graduate Degree Programs” seemed to be well received by those that attended our session.    You can view the slides from the presentation below or jump over to Slideshare to view/download the slidesMy apologies to all those out there who hate powerpoint as much as I do. 🙂

To perform the survey, Kevin and I created a survey on and asked our colleagues and acquaintances to help spread the word.  We shared the survey link on twitter and facebook and asked our friends to do the same.

I won’t go through the actual questions here (you can see them in the slides) but some of the results are worth noting:

  • 47.4% of the respondents strongly agreed that the rigor of an online graduate program was similar to that of a ‘traditional’ program
  • 67.9% of the respondents strongly agreed that flexibility was important to them in their program selection process
  • 55.4% of the respondents strongly agreed that accreditation was important to them in their program selection process
  • Flexibility was ranked as the most important aspect in the decision making process
  • Location was ranked as the least important aspect in the decision making process

You can see more results in the slides.

During the presentation, we wanted to get some discussion started with the attendees around the results and distance education in general. We were in luck…the group had a lot of things to say about the topic and our survey.

From the standpoint of the attendees, distance education (aka online education) is the future of higher education. There were plenty of attendees telling us that their universities and colleges had begun to transition many courses and programs to be offered either as a hybrid delivery method (e.g., a combination of an online & in-class) and/or as fully online delivery.

Additionally, these university and college administrators and professors were confidant that the next few years would see even more programs and courses transition online – since that’s what the traditional and non-traditional students are demanding.

Regarding our research, there were quite a few good suggestions and discussions that might lead to additional research avenues.  From these suggestions and discussions, a few key areas that Kevin and I may look at in the future are:

  • How does someone with a ‘traditional’ degree (i.e., on-campus) perceive an online degree (this is the 2nd part of our initial research that we discarded)?
  • The concept of the ‘traditional’ student is changing (or already has changed).  Some have reported that 60% of on-campus students living in the dorm are taking at least 1 online course per semester. How does that change the traditional vs non-traditional student perception?
  • Are online programs becoming more popular because of their flexibility or because they are perceived to be easier (a good portion of our survey respondents believed that rigor is comparable)?

There are more avenues for research that came out of the discussions at the conference.

Kevin and I are planning on working up this survey into a paper as well as diving into more research in the area in the near future.

The future of education is online

DEANZ Panel on the Future of Distance Learning By Choconancy1 on flickrLast week, I spent a few days at in Tyler Texas attending the Northeast Texas Consortium Summer Distance Education Conference.

I was lucky enough to get to present at the conference (more on that in a future post!) and got to spend some time talking to university and college educators from around the northern part of Texas.

I was surprised to find most of the universities and colleges were offering their programs online to traditional and non-traditional students regardless of whether that student was on-campus (dorm, etc) or off-campus.  In addition, it was surprising to hear that at some universities that around 60% of students living in dorms where taking at least one course online. There were even a few people telling me of entire programs offered online regardless of the location of the students.

Back in 2001, I started my MBA at The University of Texas at Dallas. I lived close to campus but really (really) wanted to take some online courses to make it more flexible for me to work on my courses.  Because I was an ‘on-campus’ student, I couldn’t take online courses….I would have had to transfer to their ‘online MBA’ to take online courses.   I always thought that segregation was strange…but it seems that there’s no longer a segregation between on-campus students and off-campus students…and I think that’s a good thing.

One of the things that became very clear to me while at the NetNet conference was that universities are really interested in moving more courses and programs online.  Perhaps this is a cost saving measure – or maybe there’s just that much demand for online courses these days…regardless…the future of higher ed (and perhaps, high school?) is online.

Does online education mean fully online with no face-to-face interaction?  I’m not sure. For some courses and/or programs, perhaps it does.

In my doctorate, I’ve not met a single professor from Dakota State University and I’ve only met one other doctoral candidate face-to-face…in face, I just met him last week at the conference even though I’ve ‘known’ him virtually for 4 years.

The future of education is online.

What does that mean for social interaction?  Is an education really only the things you learn from a book and/or from a professor or does it also include the social interaction that occurs during class and throughout campus?   Using aspects of social media, can that social interaction be recreated or simulated?  How well does knowledge really flow in online courses?

All interesting questions I think….some of them are being looked at by one of my doctoral candidate cohorts…more on that research in later posts too 🙂

What’s your thoughts on the future of education being completely online? For it…against it?  Would love your thoughts.

Image Credit: DEANZ Panel on the Future of Distance Learning By Choconancy1 on flickr

Links for March 27 2011

If you'd like to receive updates when new posts are published, signup for my mailing list. I won't sell or share your email.