By Jason Hoenich on Dec 18, 2017
I'm kind of over all of this complacent industry agreement that hacks will happen because humans are the weakest link. It's become a catchall, responsibility avoiding excuse within the security world. I've heard it spewed profusely at security conferences, in business meetings, and its a rampant excuse/comment on LinkedIn & Reddit posts. It's on the same level as responding to an issue with "well, boys will be boys", or "she shouldn't dress that way if she doesn't..." - no...no no no no.
It's bullshit. Now, I could agree with the statement of humans are the weakest link if it is referring to those humans blindly writing security policies, poorly architecting networks, implementing complex security solutions, and expecting their users to bend to the will of security policy and network.
I can't agree with this state of mind though, having been in the trenches working directly with "the humans" (what are we, aliens?). I know my users are intelligent, they want to do better, and they want to learn more about this stuff. It's scary, and often complicated, and it is our job to make it less scary and much easier to understand. Having worked with hundreds of thousands of users, rarely did I find someone (outside of someone being inflammatory or upset at having responded to a phishing training campaign) really was the weakest link.
What I have found is that, humans are really good at sniffing out poorly designed systems, bad UX/UI, calling out complex processes, and showing us where we are failing them. That's right:
Humans are excellent at pointing out how you are failing them.
Users aren't using your VPN? Well, how simple is the process to request and be issued VPN access? How easy is it to use it?
Users constantly clicking on phishing emails? How well is your filtering tuned? Are they reporting them? Is there a clear and simple method for them to report?
It's just not as simple as the statement makes it seem. As an industry we need to change this mindset and dialogue from vendors. Stop pushing this poisonous line of thinking, it is toxic on many levels.
CISOs, if this is the basis of you or your team's mentality when developing your training and awareness efforts - what kind of foundation is that? If you're starting from "users are stupid", what kind of communication and message are you creating for those users? If you're speaking to them like they're stupid, you're probably doing years of damage to your organization's reputation.
Security awareness managers, are you telling your users they're the weakest link? It's like telling your children they're too stupid to understand something - and then trying to explain to them anyway.
If your users seem to be the weakest link, or you have consistent problems throughout your organization, I would highly encourage to sit in your users seats for a day. Experience your processes for yourself. Listen to your users first, blame later. Build better experiences from the ground up. Are you insisting on pushing newsletters each month but frustrated that no one is reading it? Or no one is visiting your intranet site? How interesting are they? How easy are they to find? Are you providing value at all?
The next time you're quick to fall back on users being the weakest link, I would take a minute to consider that maybe, just maybe, that weakest link...could be you. \Cue shrieks and gasps\
Vendors - stop feeding us this drivel that humans are the weakest link, and start providing better products, better solutions, guidance substantiated on actual experience, and better design and implementation.