In Cybersecurity we refer to employees as the Human Element. We generally call the Human Element the weakest link in Cybersecurity. It’s easy to see the logic in this, but unfortunately for many of us, this is wrong. Humans are the Strongest Element in Cybersecurity.
Sure, humans are the ones that make the mistakes. They fall victim to social engineering. They write bad code. They misconfigure firewall settings. Some statistics say 70, 80, or even 90% of all breaches are because of people. But even if it were 100%, I still insist that humans are the strongest element in security.
In 2016, there were 1,093 companies that experienced a data breach, an all time high. We also know that there are some breaches that haven’t been discovered yet. That’s a big scary statistic.
But we can still safely say that over 99% of companies DIDN’T get breached last year. Even at the ones that did get breached, over 90% of human elements DIDN’T make a mistake. Even the ones that made mistakes didn’t make mistakes 100% of the time…they made a few mistakes, probably because of other pressures.
Why do we focus on failure instead of success? It’s not bad to want to learn from our mistakes. In order to prevent the next breach from happening to us, we want to get out there and stop it. But then we get a new breach, and we try and stop that. Unfortunately, this problem-centric approach looks a lot like a dog chasing its tail.
I like to call this problem-centric approach the “Dark Side” of Cybersecurity. Focusing on failure leads to finger pointing, finger pointing leads to scapegoating, scapegoating leads to shortcuts, which in turn leads to more breaches.
I’ve written about how Cybersecurity leaders should look a lot more like a coach or a teacher rather than a bouncer or enforcer. I’ve also written about how security is like a muscle, it needs to be trained and strengthened. A coach would look at this problem, and say we need to model the good behavior in order to break those bad habits that trip us up. If your coach slapped you on the hand every time you lifted a weight incorrectly, you’d just give up. Or you’d fire your coach. Instead, your coach shows you what good form looks like. He needs to break the process down into its foundations and come up with drills to improve the foundational components.
If you’re a coach, you start to look at people like players. Players are the ones you attack the problem with. They’re your partners in that objective. You don’t complain about the player who dropped a ball or made a mistake. You go back into the locker room, review the play, and make adjustments. The coach can’t run the ball across the goal himself, he needs the players to be on the field.
If you asked a coach what the strongest part of his team is, what would he say? The football? The field? The sportsdrink that they give the players? His gameplan? Or would he say his players? The human element is the strongest element.