May 7, 2007
-
So Called “Training”
Certain businesses that shall remain nameless have a tendency to hype the importance of security and how it is the wave of the future. They claim that this is a matter of critical importance for the survival of their company and to ensure the trust and support of their customers.
And yet when the time comes to actually act upon those convictions and do what is necessary to increase the security of their infrastructure, one of their hallmark acts is to give their developers special “security training” in order to be in compliance with such such rule or another for certification for something. This oh so essential training consists of, get ready for it, a whopping one hour slide show!
No. No follow up meetings. No additional discussion. Yes there’s a hand out and it references some books as “recommendations” but there’s no requirement for the developers to read the hand out let alone the books it mentions. This training may well occur once a year but it’s always just an hour and it always says pretty much the same thing.
Indeed all that is really expected of the developer is that they sign on the dotted line that certifies that they have received their vaunted “training”.
Now I know developers are amazing beings capable of astounding acts of mental agility, but can you or anyone else really learn anything in a hour? Of course not. One hour is not training. It is a sick joke. A grotesque little trap to ensure that management can try to hold underlings accountable when the shit hits the fan.
Of couse I doubt it will ever work. If there is any egregious violation all this kind of rubber stamp does is to ensure that the workers and the management both get the boot by the higher level of management still trying to CYA. Of course the workers will suffer first, but that is to be expected. But if the auditors or investigators are particularly determined they will no doubt set the blame squarely on the highest level of control and so pretty much everybody is screwed.
So then, I guess I just don’t get it. Why not just pay for real training that will be meaningful, extensive, and might actually result in creating employees who are knowledgible enough that they will be able to prevent risky security breaches in the future? If you can’t afford that, then why waste your developers time with a cheesy “fake” training that doesn’t change anything all except to allow you to lie to people and say your developers are “trained”?
Businesss is so grotesquely about appearences. It often makes me ill.
