As data breaches increase globally in both severity and frequency, business leaders are realizing that achieving better security outcomes requires a significant shift in the traditional mindset and approach.

It is all too easy to point to examples of massive cyberattacks in which malicious actors managed to move freely through internal systems once they gained access behind corporate firewalls. The traditional castle-and-moat approach to security quite simply isn’t up to the task of dealing with the current threat landscape.

This is a large part of the reason why resources such as Forrester’s “Zero Trust Security Playbook For 2019” are attracting so much attention. As a security concept, zero trust is based on the principle that organizations should never automatically trust anything inside or outside their perimeters. Instead, they must verify everyone and everything trying to connect to their systems before granting access.

When successfully implemented, the zero trust framework can be a positive step toward building resilience. However, beyond the difficulties involved in applying it to legacy systems, zero trust also shares one of the same shortcomings as the castle-and-moat approach: It relies on a duality of technology and architecture to achieve target security outcomes without really considering how the security framework fits into a wider organizational system of dynamic business interactions.

More importantly, the role of people — and particularly the role of the wider pool of nontechnical talent — isn’t considered relevant in the journey toward better security outcomes.

Thinking About Security as a System

While the thinking around architecture and the trust-bias toward technology may be shifting, many IT and security professionals still have a long way to go when it comes to learning to trust nontechnical colleagues and stakeholders from outside their immediate circle.

Technical specialists often lambaste users for their alleged stupidity, carelessness, cluelessness, etc. But there is very little introspection in IT and security circles about why it is so easy for users to make mistakes. Could it be that the tools and processes that users interact with are unnecessarily cumbersome and actually conducive to misuse and error? Is it really hard to believe that perhaps the underlying security program design is also at fault, not just the human element?

Don’t Lose Sight of the ‘Why’ of Security

Maybe the time has come to retire the old perception that humans are the weakest link and represent the greatest risk in a security program. Have we forgotten why we’re doing security in the first place?

The “why” is not about protecting the network; it’s not even about protecting the crown jewels.

The “why” is about protecting what the network enables and safeguarding what the crown jewels represent. While the specifics will vary from business to business, fundamentally what we’re talking about is protecting the integrity of people, their assets and their foundation of trust — in other words, their ability to live their lives freely in the secure physical and financial conditions of their choosing.

From Weakest Link to Precious Resource

Contrary to the default specialist position that tends to reduce the human element in security to the role of nuisance risk-factor, let’s remember that without customers and internal users there would be no business — and without a business, there would be no need for IT or security in the first place.

We need to stop trying to circumvent people and instead start trusting them to play a key role in operationalizing security as a system. The time has come for us to work with people instead of around them with the benevolent assumption that, given the right conditions, they will be enthusiastic and motivated to actively engage in protecting their company and, by extension, their livelihood.

Imagine how differently employees might behave if we talked about them and to them in a more positive way about security? How about inquiring more deliberately about how we might go about leveraging people’s decision-making and action-taking capabilities to create another layer of resilience that makes the business more secure?

When you consider the human element, focus not on the potential for a catastrophic security failure, but on trusting people to act as a strong line of behavioral and decision-based defense. Think of what our people could achieve if we gave them training, opportunities and an environment to empower them at different levels inside an enterprisewide security organization.

Is it not worth trying to nurture the rich potential and diversity of people’s competencies instead of decrying their flaws? You can even take it a step further by rolling out a structured, scalable and repeatable program for identifying and nurturing their dependability, resilience, energy, adaptability and commitment to learning how to consistently do the right thing in every circumstance, even the most unforeseen.

Design Your Security Program to Better Serve the Business

If our experience to date has taught us anything, it’s that security outcomes will remain suboptimal for as long as security subsists as a self-contained discipline operating in tech-driven autarchy.

We should aim for a holistic model of adaptive security that delivers high business impact. To do that, we need a ubiquitous set of dynamic capabilities that operate as a system, fluidly and fully permeating the primary system that security exists to serve: the business.

Bearing in mind that rogue actors are the exception not the rule — and assuming that people essentially come to work wanting to do a good job as they search for autonomy, mastery and purpose — how might we go about designing a security strategy with better outcomes in mind for all our users, from the most technical to the least technical, from the custodian to the CEO?

The goal of any security program should be to democratize security as a central enabler and focal point for human-led endeavors in the enterprise, thereby breaking the false dichotomy that places security in hostile opposition to the very stakeholders it is meant to serve and protect.

The time has come to think differently about the role of human talent in a security-as-a-system environment so we can design differently for better collective outcomes.

What we need to do now is mobilize and move forward — together.

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…