I have a lot of respect for people who work at a help desk. When I was right out of college, I got a job at a call center. I had to take an average of one call every 4 minutes. That means I talked to 120 people every day on average, and a lot of them were upset because something wasn’t working. I estimate that I must have talked to 3000 people in the 6 weeks I worked there. I quickly moved on to another job.
This was the place where I first heard the phrase, “Problem Exists Between the Keyboard and Chair” or PEBKAC. Let’s talk about where we come from for a second. Most Security people come from an IT background or work under the IT umbrella. In IT, we are generally a bunch of introverted people: we like code and algorithms and technical solutions to problems, and we tend to treat people as though they were a problem that needed to be solved. Let me repeat this: IT thinks of users as the problem.
This isn’t wrong, exactly. I recently read an article about users being the one thing about computers that can’t be patched. A study by IBM indicates that 95% of all hacks result from human error. I’ve heard a phrase that some professors use in higher education; “college would be great if we just didn’t have any students.” The trend in security seems to be to think that companies would be great if we just didn’t have any employees. Really?
We say that people are the weakest link is in security. I read an article recently that talked about how people are the one thing that can’t be patched. Let’s say that you’re a golfer and you have a really great drive, but your putting game is terrible. If you’re like me, you always lose at PuttPutt. In golf or any other sport, do you work on your strongest part of your game? Or on your weakest? Professionals always, always work to develop a complete game. They’re not like Happy Gilmore.
I would argue that in cybersecurity, we are working on the strongest part of our game (tech), and ignoring our weakest (people). There might be some good reasons for that. We might not trust our users fully. They don’t always do what we ask of them. They’re unpredictable. They make mistakes. So we try and overcome that reality with technology: but this is like trying to improve your putting game by getting a hole in one every time.
To be cybersecurity professionals, we need to have a complete game. To do this, we have to flip the PEBKAC mindset and start thinking that the Solution is Between the Keyboard and the Chair.