As data breaches increase globally in both severity and frequency, business leaders are realizing that achieving better security outcomes requires a significant shift in the traditional mindset and approach.

It is all too easy to point to examples of massive cyberattacks in which malicious actors managed to move freely through internal systems once they gained access behind corporate firewalls. The traditional castle-and-moat approach to security quite simply isn’t up to the task of dealing with the current threat landscape.

This is a large part of the reason why resources such as Forrester’s “Zero Trust Security Playbook For 2019” are attracting so much attention. As a security concept, zero trust is based on the principle that organizations should never automatically trust anything inside or outside their perimeters. Instead, they must verify everyone and everything trying to connect to their systems before granting access.

When successfully implemented, the zero trust framework can be a positive step toward building resilience. However, beyond the difficulties involved in applying it to legacy systems, zero trust also shares one of the same shortcomings as the castle-and-moat approach: It relies on a duality of technology and architecture to achieve target security outcomes without really considering how the security framework fits into a wider organizational system of dynamic business interactions.

More importantly, the role of people — and particularly the role of the wider pool of nontechnical talent — isn’t considered relevant in the journey toward better security outcomes.

Thinking About Security as a System

While the thinking around architecture and the trust-bias toward technology may be shifting, many IT and security professionals still have a long way to go when it comes to learning to trust nontechnical colleagues and stakeholders from outside their immediate circle.

Technical specialists often lambaste users for their alleged stupidity, carelessness, cluelessness, etc. But there is very little introspection in IT and security circles about why it is so easy for users to make mistakes. Could it be that the tools and processes that users interact with are unnecessarily cumbersome and actually conducive to misuse and error? Is it really hard to believe that perhaps the underlying security program design is also at fault, not just the human element?

Don’t Lose Sight of the ‘Why’ of Security

Maybe the time has come to retire the old perception that humans are the weakest link and represent the greatest risk in a security program. Have we forgotten why we’re doing security in the first place?

The “why” is not about protecting the network; it’s not even about protecting the crown jewels.

The “why” is about protecting what the network enables and safeguarding what the crown jewels represent. While the specifics will vary from business to business, fundamentally what we’re talking about is protecting the integrity of people, their assets and their foundation of trust — in other words, their ability to live their lives freely in the secure physical and financial conditions of their choosing.

From Weakest Link to Precious Resource

Contrary to the default specialist position that tends to reduce the human element in security to the role of nuisance risk-factor, let’s remember that without customers and internal users there would be no business — and without a business, there would be no need for IT or security in the first place.

We need to stop trying to circumvent people and instead start trusting them to play a key role in operationalizing security as a system. The time has come for us to work with people instead of around them with the benevolent assumption that, given the right conditions, they will be enthusiastic and motivated to actively engage in protecting their company and, by extension, their livelihood.

Imagine how differently employees might behave if we talked about them and to them in a more positive way about security? How about inquiring more deliberately about how we might go about leveraging people’s decision-making and action-taking capabilities to create another layer of resilience that makes the business more secure?

When you consider the human element, focus not on the potential for a catastrophic security failure, but on trusting people to act as a strong line of behavioral and decision-based defense. Think of what our people could achieve if we gave them training, opportunities and an environment to empower them at different levels inside an enterprisewide security organization.

Is it not worth trying to nurture the rich potential and diversity of people’s competencies instead of decrying their flaws? You can even take it a step further by rolling out a structured, scalable and repeatable program for identifying and nurturing their dependability, resilience, energy, adaptability and commitment to learning how to consistently do the right thing in every circumstance, even the most unforeseen.

Design Your Security Program to Better Serve the Business

If our experience to date has taught us anything, it’s that security outcomes will remain suboptimal for as long as security subsists as a self-contained discipline operating in tech-driven autarchy.

We should aim for a holistic model of adaptive security that delivers high business impact. To do that, we need a ubiquitous set of dynamic capabilities that operate as a system, fluidly and fully permeating the primary system that security exists to serve: the business.

Bearing in mind that rogue actors are the exception not the rule — and assuming that people essentially come to work wanting to do a good job as they search for autonomy, mastery and purpose — how might we go about designing a security strategy with better outcomes in mind for all our users, from the most technical to the least technical, from the custodian to the CEO?

The goal of any security program should be to democratize security as a central enabler and focal point for human-led endeavors in the enterprise, thereby breaking the false dichotomy that places security in hostile opposition to the very stakeholders it is meant to serve and protect.

The time has come to think differently about the role of human talent in a security-as-a-system environment so we can design differently for better collective outcomes.

What we need to do now is mobilize and move forward — together.

More from CISO

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…