Security Controls chart

I'm finding myself more and more often speaking to senior leaders about human risk. Leaders not only want to better understand how to manage human risk, but why we are facing this growing problem. Attached is a graph I love to use when starting this discussion (feel free to steal and use if it can help you). Many security professionals like to blame employees as the problem, often quoting the term "you can't patch stupid".  A quote and attitude that I passionately disagree with. People, just like the Windows operating system - store, process and transfer information. As a result, people - just like the Windows operating system, are also a target. However, as you can see in this graph we have invested a huge amount of effort in the past 15-20 years securing one type of operating system (Windows OS) while investing almost nothing in securing the other operating system (Human OS).

The problem is not that people are lazy, stupid or inherently insecure, the problem is we the security community have failed  to secure them. We have failed to build mature awareness programs that focus on key behaviors that people can easily exhibit. We have failed to engage people in their own terms that they can easily understand. This is all beginning to change, which is why I'm so excited and optimistic. But the change is not going to truly happen until we  communicate that problem to our leaders.  Leadership needs to understand that just as we invested in security technology and saw a dramatic ROI, we need to start also investing in securing people. And the best way to make that investment, as demonstrated by the 2017 Security Awareness Report, is to invest in at least one Full Time Employee (FTE) to run your security awareness program. As for those in the security community who feel that people are still an unsolvable problem, I challenge you to take a long look in the mirror first and ask yourself what you have done to help secure people in their terms and not yours.

To learn more how to build mature awareness programs, join us for the EU Security Awareness Program this 6/7 Dec in London.

About the Author
Thumbnail

Lance Spitzner

Director, SANS Security Awareness
Lance Spitzner has over 20 years of security experience in cyber threat research, system defense and awareness and training. He helped pioneer the fields of deception and cyber intelligence with his creation honeynets and founding of the Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries and helped over 350 organizations build programs to manage their human risk. Lance is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. Before working in information security, Mr. Spitzner served as an armor officer in the Army's Rapid Deployment Force and