Do not put your faith in what statistics say until you have carefully considered what they do not say. ~William W. Watt
Over the last few years, we have been presented a series of reports, complete with statistics, suggesting the cause of security breaches is people. Whether external attackers taking advantage of individuals, insider mistakes or even insider espionage, the overly simple and false conclusion seems to be that people are the problem.
Well, they aren’t. Except, of course, they are.
When I wrote Into the Breach, I realized early in the process that “breach†(no matter how it is defined) is a symptom. So focusing on preventing security breaches basically creates a losing situation where valuable time, money and other resources are wasted… only to leave the real challenge untouched.
The real challenge is what I dubbed the human paradox: individuals have been systematically (albeit unintentionally) disconnected from the consequences of their actions. This results in a challenge where people no longer take responsibility and are nearly impossible to hold accountable.
If people aren’t the problem, what is?
When introducing the concept of the human paradox in the book, I suggested we face a people problem. Upon further research and considerations, I would write that section differently: we face a human paradox where people are not the problem.
Consider this: “people have been unintentionally and systematically disconnectedâ€
This raises the question, “who disconnected people from the consequences of their actions?â€
Short answer: we did. But it wasn’t intentional.
I liken the current experience described by practitioners as  “security pain†to what new parents learn as “short term gain, long term pain†– or the idea that actions designed to quickly diffuse a situation often create more complicated problems down the road. Basically, the actions taken over the last decade for short-term gain have disconnected people from the consequences of their actions – creating the current pain we feel.
The rapid pace of change in technology and security over the last decade or so makes it more difficult for professionals to keep up with solutions and potential consequences. Even more complicated, then, is breaking down the range of outcomes and explaining them in a way someone else (without the same background and understanding) could easily understand.
When users rightly questioned changes, the path of “short term gain†was to suggest they wouldn’t understand and take the decision – and resulting consequences – out of their hands.
But it’s okay.
It’s part of human nature.
This means that instead of blaming “users†generically for not knowing and not being good enough, we should first look in the mirror. We played a role in making the situation we lament.
So we recognize it and move on.
The question is what comes next. And that’s where I have focused my passion, blended with my experience and skill as a human ecologist, in security and in the tradecraft of effective communication.
The Path Forward
The answer lies in connecting people to the consequences of their actions; it means we have to bridge the gap. But it’s easier – and more complicated – that just inflicting pain and punishing bad decisions.
So – tell them the consequences and we’re all set, right?
Well, it’s not that easy.
We need to change the way we think, change the way we act and work to cultivate a new culture to address how we manage risk, information and the relationships with the people we serve.
We need more deliberate dialogue: conversation with a purpose that “meets people where they are†and works in a way that allows everyone to learn. When we enter the conversation as equals, each with a valid set of experiences – and a desire to reach common understanding, something magical happens.
Best part: no new investment in technology is needed. This costs time. It requires being present. For some, this is simple, easy and obvious. For others, this is a challenge and will be a rough start.
We have a lot of work to do. I’m here to contribute and lead the change we need.
Engage with Michael Santarcangelo