how not to secure critical data chart

I recently saw this chart being shared on LinkedIn.  I do not who developed the chart, nor is this a personal attack, but it is approaches like this why information security will never succeed.  People were promoting this chart as a great reference on how to secure critical data.  The overall approach is to identify where your critical data resides, and then position all your controls around that data, 57 controls to be exact.  While the approach is correct (protect critical data) the controls are wrong.  Think about it.  Where is your critical data stored?  On systems, devices AND PEOPLE.  Computers store, process and transfer information, think Windows OS.  PEOPLE store, process and transfer information, think HumanOS.  Out of the 57 controls listed, ONLY ONE is dedicated to the Human Operating System.  Yup, just one.  And we begin to wonder why people are the weakest link.  It is not because people are lazy or stupid, it's because we fail to help secure them. Technology is critical, and where every organization should start.  But after your technical controls mature, and you have managed your technical risks, you absolutely must address your human risks.

Geeks have been saying for years "But if you do technology right, you don't have to worry about people!"  Sorry geeks, not true.  We have been trying to use just technology for over twenty years now, the situation is only getting worse, not better.  In addition, the bad guys now just bypass technology.  Have the best perimeter defense in the world?  Bad guys will just call your employees.  Have the best email filters in the world?  Bad guys will just attack your leaders' personal @gmail accounts.  Have social media blocked?  What do you think employees are doing on their smartphone during break?  In fact, I would argue we have gotten so good at our technical controls that we are driving bad guys to target the human.  How is more technology going to solve that problem? If we want to make a difference, we absolutely must go beyond just technology and address the human element also.  When charts like this identify human controls as only 2% of the solution, we are going to continue to fail.

UPDATE:  I've been getting messages from people asking how I would fix this chart.  It's not so much the chart needs to be fixed as it's ignoring the human element.  What I would suggest (and may do) is create a complimentary chart that lists all the controls that apply to the human element.

Want to learn more about changing human behavior?  Join us at the European Security Awareness Summit this December in London and learn from hundreds of experts around the world.    

About the Author
Thumbnail

Lance Spitzner

Director, SANS Security Awareness
Lance has over 20 years of security experience in cyber threat research, awareness and training. He invented the concept of honeynets, founded the Honeynet Project and helped pioneer the field of cyber intelligence. Lance has published three security books, consulted in over 25 countries and helped hundreds of organizations establish mature security awareness programs. Lance serves on the Board for the NCSA, is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. He served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.