For all the effort we put into securing our corporate systems from a technical perspective, it's still the case that the bulk of the effort associated with a comprehensive security posture relies on helping our people understand their role in security efforts day by day.
For this reason, security training programs have been implemented far and wide, but does training really fit the bill? When we talk about training, we are really referring to rote repetition of concepts, ideas, and steps in process. This can be very helpful when teaching your staff the value of a check-list to ensure that each step was completed, but what about when the end-user needs to actually interact with the situation and make a decision?
This is where education takes over... When we teach ourselves how to evaluate the evidence at hand and make a decision, that's the heart of real education. The best way to educate your workforce on security concepts is to give them the tools and information, and then step back and let them teach themselves.
This requires more preparation on the part of the instructor, but it will empower your workforce to evaluate the situations they encounter every day and make effective choices... and wasn't that the whole point of the exercise in the first place?
Training versus Education
