Does the evidence really prove people are the weakest link?

Instead of using data and anecdotal evidence to confirm people are the weakest link, use it as a signal for where to look for real answers and solutions

men scaffolding
Credit: Sheila Tostes

“People are the weakest link in security.”

Have you ever said that? It gets repeated in presentations, blog posts, and training all the time. It captures headlines. We even gather evidence and anecdotes to "prove" it.

This isn't new, either. A theme for the last few decades, it always baffles me. How do we reconcile the notion that people are incapable against the proof and progress around us?

I look at the structures, buildings, solutions. The things once declared impossible that are now commonplace. Sure, people can be frustrating. But individuals? Often inspiring.

Does the evidence prove that people are the weakest link?

Perhaps it is more symptom than actual problem. In that case, consider the data a signal. A prompt for where to look. Consider the context and explore where else to look for answers.

Are people actually to blame?

Our environments continue to grow more complex. Data -- and access to it -- is proliferating. More systems. More ways to access and process data. More mobility, too. The speed of change is picking up.

We find ourselves inundated with information. Yet we starve for insight. We long for the ability to work through information to build knowledge. Some aspire to blend knowledge and experience to build wisdom.

It means we need to consider the complexity and speed of change. As a security industry, we struggle to wrap our heads around the change. We feel a step behind. We want better solutions and more resources.

Our colleagues are in the same situation. Except they don’t focus on security.

Our struggle to understand and explain gets lost in translation. And only when we make the time to capture, distill, and translate. How often do we make time for that?

Be weary of the conclusion that means people are dumb or at fault. With so much complexity, demand, and distraction, look a bit deeper.

Things to look for instead of blaming people

Before condemning people, consider at least three areas of the environment that affect people:

  • System design. What is the experience of the technology? Does it make it harder or easier for someone to do their job? Does it create pathways that protect information? Does it improve over time?

  • Process.  Processes cobbled together over time are often inefficient. Those processes may encourage risky behavior. Explore changes that reinforce actions that are right for the business while protecting information.

  • Expectations. Are people asked to do realistic things? Do they know? Are they trained?  

Friction in communication and process creates confusion. People don't know what is actually expected of them. Frustration ensues.

Smart people find a way to meet their objectives. They manage their risk. Based on their field of view. How can you blame them?

That signals a need to take a people-centric approach. Peter Hesse shared his insight in  A CSO explains how to reduce risk by improving user experience. A good starting point. The approach benefits the way we work to protect systems and information.

Suggesting people are incapable is a cop-out. A weak excuse.

Seize your leadership opportunity

Dig deeper when presented with evidence. Any evidence. Question the initial conclusion. Ask why. Spend time considering. Especially when it comes to people. Explore the conditions and situations in which people do their work.

This is the opportunity for exceptional security leaders and powerful communicators. Set aside the potential for confirmation bias. Connect with others. Advance solutions that make it easier for people to do their jobs while protecting information.

Cybersecurity market research: Top 15 statistics for 2017