James Bore

The biggest thing that people forget about security is that on a very fundamental level it is about people.

You will sometimes hear statements like people are the weakest link, or your strongest defense, or a myriad of other sayings. What all of these tend to overlook is that, if we consider security as the art and science of protecting an asset from a threat, ultimately the only threat out there is more people (excluding aliens), and the only assets we are looking to protect are yet more people.

You’ll hear people, processes, and technology bandied around a lot and it’s important to view people as the most important of those three. If your processes hinder the people who belong in your asset group, then your assets will find workarounds and become threats. If your processes aid those in your threats group, then you are helping them to target your assets.

Everything that you do in security you should be able to associate directly to one of two goals:

• Empowering your asset people to achieve their aims

• Disempowering your threat people

When you start to look at security through this lens, the people-focused lens, things change. Constraints that are placed because they are considered best practice often become unnecessary, while things that might be overlooked (updating your password policy to passphrases with a good communications rollout plan) become priorities.

When working with the rest of the organization this lens makes a huge difference. Remember, the organization does not exist to enact security; security exists to help secure the aims of the organization, which are realized through the people who make it up. When security becomes an obstacle to people in the organization, it becomes an obstacle for the organization and people work around it. When, instead, it becomes a sensible precaution and set of practices that people understand the reasons for and how it protects them, the value becomes obvious.

When the value of security is being questioned within an organization, a solution is never to double down on enforcement. Bringing in additional constraints and obstacles increases the resentment, with good reason. The focus must be on educating people on why security matters to them, personally. Stamping people into shape does not lead to them following good practices, nor doing their best towards common goals.

If you run into the occasional problem where someone will fundamentally not accept following security practices, there are really two options. Either that person should not be within the organization, or the practice needs to be reconsidered. Sometimes there are just people unwilling to act in their own best interests, whether that’s because you are unable to convince them, or simply because their personal risk appetite is at odds with the risk appetite of the organization.

The big takeaway here is simple. If you come across some practice in security and cannot point to how it protects your asset people from your threat people enough to justify any obstacles it puts in the way of your assets, think very carefully about whether it is necessary in the first place.