Comment Re:well (Score 1) 128
Ahh, so you work at one of those places with horrible culture.
I don't work there anymore, but I've been in the security industry long enough to know a number of companies, as well as the uncomfortable squirming that follows if you ask security training providers for independent evidence supporting their claims.
It's not a problem of IT security. Fire security trainings are quite similar, except that they have evolved thanks to decades of experience - in a modern company, those responsible know that the fire drill is primarily to drain the assigned helpers and floor supervisors, not the employees.
Instead of saying "this is stupid, I know this stuff" you could volunteer to help mentor people or simply grunt "yup, saw a guy get hacked by this once" instead of holding negativity.
I never said security is stupid. I am saying security awareness trainings are a waste of time, by and large. Tell me, how many people have you had in those trainings you thought before they went in that giving your password to random strangers is a good idea? 90% of the content of these trainings is either boring because everyone knows it already or boring because it's too technical and not interesting that they filter it out.
I've had the responsibility of writing or reworking existing IT security policies, and my advise has always been to make them as short and simple as possible. I've seen a multinational corporation vomit up a 300 page security policy, which was really great from an ISO 270xx POV, but aside from the guys in the security department who wrote it, I'm fairly certain I was the only other human being who actually read all of it, ever.
I love security. But I think our industries approach to users and security is fundamentally flawed and trainings are a band-aid on a broken arm - placebo treatments that don't even touch the real issues.