Then there is the fundamental concept that the I in IT stands for INFORMATION, not computers. The acronym CISO stands for Chief INFORMATION Security Officer, not Chief Network Security Officer. Aitel's article and recommended countermeasures, in lieu of awareness training, fail to recognize that information exists off of a computer network. Using the previous mentioned quote there is no technology that will prevent the human mishandling of paper information and computer media. Yes, media can be encrypted, but the cost of trying to find loss media, even if it is eventually found, can be enormous, drain resources and result in a public embarrassment. The return on investment for a security awareness program of this form can be huge, even if it prevents a single incident.

But the biggest issue is perhaps that security awareness efforts are frequently not optional. Any good security practitioner realizes that their clients have to adhere to a variety of compliance standards, with a variety of interpretations. Awareness programs are required or implied by standards including PCI and HIPAA. Telling people not to do something, because the pontificator believes it is a bad idea is just not an option, even if the guidance is reasonable.

So just to summarize, the fundamental issues of security include but are not limited to no security measure is perfect, awareness mitigates non-technical issues that technology can't, that CISOs and other security managers are responsible for protecting information in all forms, and that in many cases awareness programs are not optional. The fact of the matter is that no security measure should be measured by the standard of perfection. The real standard is return on investment. By that standard, you will find that security awareness is one of the most reliable security measures available.