Can Technology Provide a Complete Security Solution?

Back in 2009, I wrote a couple of blog posts about security – one about whitelisting/blacklisting applications and one about the “cost” of security on productivity (they are both still relevant and worth a read). Recently, I have been working a lot on policies to ensure the security of mobile devices. While doing this, I have discovered an interesting phenomenon: There are some people who believe that it is possible to use technology to provide a complete security solution.

I am certainly not saying that it is impossible to use technology to provide a complete security solution – I am simply saying that it is improbable, difficult, and very costly. Those who believe in a pure technological solution are missing an important piece of the security puzzle: the human factor. This MUST be addressed through published security policies, user training on those policies, enforcement of policy compliance, and required refresher training.

If end users are educated about the risks and consequences of policy non-compliance, I believe that most will work to be compliant. If you couple education with real, random enforcement and consistent consequences (for continued non-compliance), I believe that you can get very close to complete compliance with security polices, and thereby, a complete security solution. Regular reminders about risks and consequences will also help users to stay compliant with security policies.

The bottom line is this: If you implement only technological security solutions and fail to educate users about risks and consequences, you will find yourself with users who are intentionally circumventing the technological solution (either because they don’t understand the risks or because they know that there are no consequences for their actions).