Recently Bruce Schneier posted a blog titled "Security Design: Stop Trying to Fix the User". As usual, Bruce raises some interesting points that are well thought out. What is unusual in this case is I strongly disagree with him. I've known and respected Bruce for over 15 years now (he was one of the first Board members when I started the Honeynet Project). But that does not mean we can't respectfully disagree. Bruce's key point in the blog (as I read it) was we need to stop training people in cybersecurity, that designing proper technology alone is the solution. I could not disagree more and this is why.
- Technology Only: In a perfect world if we designed, deployed and maintain all technology correctly then yes, we would not need people cyber aware. In a perfect world technology could also solve world hunger, crime and all diseases. Unfortunately we do not live in a perfect world. Technology will always be advancing and changing, there is no way our technical defenses can stay current. In addition, for the past 20 years I've continually seen the same thing. Every time our community implements a new technical solution, the bad guys come up with multiple ways to get around it (usually involving the human). Finally, security is all about layered defenses, when one layer fails the next layer catches it. The HumanOS is nothing more than another layer that can kick in when technology fails. The only difference is instead of patching this OS with code you 'patch' it by changing human behaviors.
- Personal: Even if you created the perfect, secure environment at work what about home or personal use? If you are targeted, trust me they will come after your personal accounts. I know of two cases where bad guys targeted the personal email accounts of their children. In addition, what about areas where technology has little control? For example, how do you filter a phone call? What about CEO Fraud attacks where this is no malicious link or infected attachment to filter? What about the content that people post on their personal social media accounts or use the same passwords from work for their personal accounts, how do we use technology to manage that? As the world of personal and work continue to blur and blend, this will only be a growing problem.
- Detection / Response: Finally I would argue that Bruce's blog focuses on prevention. But what about detection and response? Time after time I have seen aware employees, and not technology, report an attack. People can often be the greatest detection mechanism, as Bruce himself has pointed out. Let us not forget awareness is not just the Human Firewall, but the Human Sensor.
There is one point a vehemently agree with Bruce and his blog post on, we need to make security simpler for people. This is where we so often fail. Cybersecurity is not a motivation issue for most people, its an ability issue. We continue to either focus on the wrong human risks (I love Bruce's example with the USB stick drops, he was spot on that this is a waste of time) or we make managing those risks overly complex (passwords anyone). Long story short, I respectfully disagree with Bruce. Technology is definitely where any organization should start, but at some point we need to invest in the human element also or we will continue to lose this fight.
UPDATE: 17 OCTOBER: After talking to Bruce Schneier several times, I feel our views are actually much more similar then different. His intent in the blog post was not to say we should not train people, but that the technology is so broken that it requires too much training. His focus is on fixing the technology so people do not have to be trained. While I fully agree with that goal, I still firmly believe we need to also work more on securing the human.