Root Causes 492: When Mandatory Security Training Sucks

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  So Jason, you have a topic for me.

• 

  Jason Soroko

  It was something you had brought up, and you were so fired up that I said, oh, if I get to choose an episode today, it's gonna be one that just gets Tim completely wound. So here we are, Tim. I want you to tell me about your thoughts and feelings about security training.

• 

  Tim Callan

  Mandatory security trainings. So I was going through my annual comprehensive manual security training because it is the new year, and I was going through this rather long training that's provided by a very well known third party provider. I'm not gonna say who it is because that's not the point. I was seeing stuff there that I just don't agree with. Here we are. We are taking all of our employees. We're putting them through this very official looking training process that is coming from a name of a business that they know that purports to be someone who's telling them how to do this, and we're telling them stuff that either is much more nuanced than they say, is incredibly situational, or is just wrong. I started screen capping things and sending them to you, and I'm glad you brought us back. So I've literally I've scrolled through, and I have the screen gaps. And I think I don't think this is comprehensive, but let's just use these as examples.

  So here's the first one, and I'm quoting from the screen track training. This is talking about phishing, how to detect phishing. Here's the quote. Quote, error free emails, Gen AI chatbots can produce output free of the telltale spelling or grammar mistakes that normally help identify phishing lures. Jason, when is the last time that you saw a phishing attack come in that had misspellings of common English words?

• 

  Jason Soroko

  Maybe literally over five years ago, maybe up to ten years ago.

• 

  Tim Callan

  I think, ten years ago. I mean, when I looked at this, I said, what is it? 1997? I mean, Fischer's learned real early on to run a spell check. There was this idea that came out 1997 of, oh, look for misspellings. You'll know it's a fish. That didn't last long. That was good for about a year because spell check is available to everybody. These guys are trying to make money, and they figured that one out darn quick. So here we are, literally literally twenty five years later, We're getting advice that's twenty five years out of date. Who's writing this stuff?

• 

  Jason Soroko

  You, Tim Callan, are probably more likely to get a spelling error in an email from me.

• 

  Tim Callan

  Yes. If I were spearfishing you, I would salt a spelling error on purpose to trick you into thinking it must be me.

• 

  Jason Soroko

  Because I would think, well, there's no way this could be a fish. It wouldn't have a spelling error.

• 

  Tim Callan

  What the what the hell? So here's the next one. We're still talking about fish. Right? Tricky elements in a fish. Tricky elements in a fish. Attackers may use many tactics to trick someone into taking action. They list four things. Do want to hear what they are? Invoking authority, making personal peer appeals and raising curiosity, mentioning current events, referencing familiar business processes. 99% of the real business emails that I get are doing multiple of these things. Referencing familiar business processes? That's every work email I get. Making personal appeals or raising curiosity. Why am I getting an email if they don't either want me to do something or want to tell me about something? Otherwise, why are they writing the email at all? Invoking authority? I deal with lots of people with c's in their titles. I have a management chain. So my joke coming out of this is I I screen capped this and I sent it to my manager and I said, by the way, every single time you send me an email, you're invoking authority, you're making a personal appeal, you're mentioning current events, and you're referencing familiar business processes. So from now on, I'm gonna report every email you send me as a fish. And we both had a good laugh, but this is horrible advice. This is terrible advice. This isn't advice that makes you better? Hold on. Let's go to the next one. Here's a quote. Quote. This is now we're talking about now we're looking at websites, tricky websites, dangerous websites. Again, this is still in the phishing, spear phishing kind of training. Quote, stick with known trusted destinations when browsing online. God forbid, we never show of hands, who actually sometimes goes to a website that you've never been to before? All of us? Every human being on the planet? What kind of useful advice is this? Stick with known trusted destinations when browsing online?

• 

  Jason Soroko

  And by the way, Tim, only stick with the safe sub domains.

• 

  Tim Callan

  And only stick with the safe sub domains. I mean, you know what? You could you could protect yourself one step more. Why don't you stop browsing online entirely? Just go buy a newspaper for God's sake. Just walk down to the corner store. Go go buy your pants in person like we used to in the good old days. Like, it's just terrible advice. It's unworkable advice. Oh, let's go even better. This is now into the foreign, travel section. Quote, consider temporarily uninstalling apps you won't need to access when traveling. What? I gotta go to Toronto to score some Toronto sessions with Jason. I'm going out of the country. I'm going to take 50 apps off my phone and then go reinstall them when I get home. What? This is crazy. Who greenlighted this? Who approved this and said that was okay to put this into a professional training module that is gonna go out to literally millions of people? Is there any oversight? Is there any thought about what these people are saying? You knew you were gonna get me fired up.

  So those are the ones I captured. I think when I look at the theme here, what I see is I see a couple things. One thing is I see just kind of the need the robotic repetition of stuff that other people said to you. There's an old story that I've been told a bunch of time where a couple gets married, and they go and they go to bake a ham. And one of them cuts the edges off the ham. They put the ham in the oven. The other member says, why don't you cut the edges off the ham? And I says, I don't know. That's what my dad always did. So then when they get together a little later, and they're at a family thing, and the dad's there, let's say the the woman is coming in the family. She says to the dad, hey, why do you cut the edges off the ham? And he goes, I dunno. It's what my mom always did. And then so Christmas rolls around, and everyone gets together, and grandma's there. And so she goes to grandma and she says, why do you cut the ends off the ham? Grandma says, well, because my pan is this big. And so what happens is you get this kind of robotic obedience to like these real specific prescriptions and proscriptions without the understanding of the underlying reasons. Because we're all capable of looking at and understanding how all of these pieces of advice are bad. And yet somebody's getting a paycheck, not just somebody. There's people who approve content. There's people who lay it out. Like, there's a lot of humans involved. And nobody said, by the way guys, I'm sorry, but this is effing dumb.

• 

  Jason Soroko

  Tim, thank you. I'm gonna let you I'm gonna let you keep going. I gotta just say, cybersecurity is utterly loaded with this rule of thumb crap.

• 

  Tim Callan

  Yes. Absolutely. We get this dreck. This I do it because I always did it that way. I do it because I had a boss in 1976 who wanted me to. And just brains just shut off completely and utterly turned off. The people who created this material, and at least those moments had brains that were completely turned off. Then I worry that a whole bunch of people see this training. This is what I've been told to do. And we're all terrified. We're all terrified of being that guy who lets the Trojan horse in. So you start to get these official trainings and you've got to get it done. If you don't get it done by this state, then it's going to go in your record and someone from up in the hierarchy is going come lean on you and make you feel bad about yourself. So we all take it very seriously. And it's telling us these things. You must do this. You can't do that. I think most people most people aren't IT professionals like you and me. Most people don't stand on stages and pronounce you should do things. Most people do as they're told when it comes to computers in the workplace. And so if you get this advice, you're not going to challenge it. You're just going to do it. And now you're going to be out looking for misspellings. And when you don't see any misspellings, you're going to think that it's a good fish when that is the dumbest advice you could give anybody.

• 

  Jason Soroko

  Security training in general is its purpose is to stop people from making it too easy to harvest credentials. Why in 2025 do we still use authentication methods with shared harvestable secrets.

• 

  Tim Callan

  Absolutely. I agree with you. I wanna be clear. I am not against security training because I think It's what you said. You just make it harder. Like, part of a real defense in-depth strategy is to just introduce friction everywhere you can, and as much friction for the bad guys you can everywhere you can. And getting your employees not to make it unnecessarily easy for the bad guy is a part of that holistic defense in-depth strategy. I think security training is a best practice. I think it should be done well. I had some some some opposition to the training we just went through, but I think it's a best practice. I think the mistake is viewing it as more than it is. It is a very small minor part of your overall defense in-depth strategy. And I think if we give too much credit to the security training in terms of what it's actually doing for us, we're doing ourselves a disservice. As much as we can, we need to find reliable, repeatable, take them to the bank, systemic defenses because those are reliable and repeatable, and you can take them to the bank. And try and get the humans to rewire their brains to do the right thing. Like, there's things human brains are amazing at. Recognizing faces, telling which way is up, coming up with creative new ideas.

  There are things humans but there's a reliability problem with humans. Their their neural nets are weird, and they're unpredictable, and they make weird decisions. And training that out of them is biologically infeasible. Computers are nice because they are extremely predictable. And when you get them right, and they do it right, they will do it right one time or a million times. So I'm all in favor of training. But one of the one of the the rules we have for ourselves as a public CA is remove the human judgment everywhere you can. Certain amount of human judgment you're stuck with. But anywhere you can replace human judgment with a clear set of rules that always come to a correct correct conclusion, you must always do that. And we just wrote up a bug on Bugzilla against ourselves, and one of the takeaways was this is a place where human judgment could have been replaced with automation, but we didn't observe that that was possible until there was an error. Then we went and put that in place. And that's how we think about it as a CA. This is for our own employees and our own systems. And I think that's a huge part of it.

• 

  Jason Soroko

  Here's some security thinking, Tim, that requires at least 200 IQ. Shared secrets are shared. Yes. Sometimes they're overshared.

• 

  Tim Callan

  That means someone else knows it.

• 

  Jason Soroko

  And that person who also knows it could be the guy that's hosing you.

• 

  Tim Callan

  And I remember it was probably six years ago, Jay. You used the analogy of the secret handshake to get into the speakeasy. And with that technology level, you have no choice but to use a shared secret. If a shared secret is the best you have of course. You're stuck. But that's so rarely the case in our digital systems. In 2025? Yeah. You don't have to have a shared secret anymore in any net new system. And yet, I still see net new systems with username, password, and some crappy MFA. That's the same reason. That's because it's the same thing. This is what we did back in the day. The gray hairs said good enough for for us. Why isn't it good enough for you? And this is what I learned. It's what they told me to do in school, and I just keep on doing it.

• 

  Jason Soroko

  I remember being told fourteen years ago, we would never use phones for authentication. I was told fourteen years ago, okay, we're using phones for authentication, but SMS is the best way.

• 

  Tim Callan

  And perhaps it was at the time.

• 

  Jason Soroko

  The problem is that it wasn't. And and this is the issue. Is that I find it really strange that really smart people who should know better don't do the correct thinking. There's no rigor in their thought. And I think that security training, which is what this podcast is about, is one of those examples of if you're gonna spend a dollar to secure yourself, spend the dollar on a non shareable secret authentication mechanism. Because then you don't need the security training.

• 

  Tim Callan

  And then also do the security training.

• 

  Jason Soroko

  Security training could be beyond authentication.

• 

  Tim Callan

  This took a long time. They made me go through a lot of material. And obviously, I didn't screen cap everything. So the big majority of the material, I agreed with. But I shouldn't see something that is just so obviously false in a large mainstream security training from a leading provider that is using being used by enterprises around the globe, and that literally millions of working humans are being told to do this. Someone should have got that right.

• 

  Jason Soroko

  Tim, I did the same training. We have the same employer. And I thought the very similar thoughts, but when you shared your thoughts with me over teams I said to myself, oh, this is a podcast and I thank you, Tim, for you doing it so that I didn't have to.

• 

  Tim Callan

  I mean, I bet you this isn't just this provider. I bet you this is a problem that's broader. I don't know that. But I bet you that this is a problem that's broader. And so, yeah, I think with security trainings, we can and should go bet do better. And shame on you guys. Come on. This is your job. Do it better. And I think your point where you extended and extrapolated that to say, look. We can take this concept and apply it to all kinds of decisions in the world of IT. That is a good point, and I agree.

• 

  Jason Soroko

  It is rife in our industry. Do not think that the normal thing is the right thing. Because in security often, it is not.