We technologists are to blame for the death of Cyber Security. We are largely responsible for the havoc of Cyber Crime that’s impacted our privacy and overall ability to use the internet safely. Not directly but indirectly.
Since the dawn of the Internet, the typical perspective of information workers towards ‘the users’ has been “control over trust.” From this perspective, ‘the users’ cannot be trusted so their devices are locked down in order to prevent them from installing unwanted software, changing settings and generally putting the enterprise at risk.
On the surface, this might appear to make sense. While it may be true that some risk is mitigated using this approach, it is worth asking: “At what cost?”
Most corporate cultures have shaped how security is “done”, from a command and control mode instead of empowering people with knowledge and awareness to make informed decisions confidently. By treating “the users” like children over the past 20 years or so, by limiting the amount of control they have over their own laptops, have we efficiently created an entire population clueless about information security best practices?
Is it true that many IT departments, often knowing little or nothing about cybersecurity themselves, ever so boldly and unpreparedly cut everyone else out of the loop, too, including leadership, even as these IT teams struggled to maintain a veneer of competency for protecting the organization and its bottom line? As a result, have most people in the world, who don’t work in technology cultures, been helped to be ever more unaware of simple solutions to threats that are very real and continue to grow both in their frequency and complexity?
Time has run out.
The focus must shift now, to people and empowering them through education, tools and trust. Especially now, when we are no longer focused on security exclusively from a perimeter perspective. Threats don’t come in through firewalls, anymore. Moats around the castle are nice for aesthetic purposes, the blinky lights on firewalls and other, pricey hardware designed only to comfort leadership who are, indeed, comforted by them in the absence of so much awareness.
Now, there are multiple vectors for entry, most of them mobile, social, people-oriented more than based in technology. Mobile devices are bringing threats directly into the environment and exfiltrating (sending) private information out. Therefore, it is still true that a well informed populace is the best defense against tyranny, be it bad politics, shady business or malware-loaded phishing attempts.
It’s twenty years too late but we have to start to make a shift from believing in the control we never had to the trust we neglected, all along.
“Security is both a feeling and a reality. And they’re not the same… security is also a feeling, based not on probabilities and mathematical calculations, but on your psychological reactions to both risks and countermeasures.”
– Bruce Schneier, Cryptographer, Security Technologist and Author
How can we change this reaction and make a difference to how people, real people, both think and feel about security?
Human error remains the one consistent contributor to the vast majority of cyber incidents and if people can be the weakest link, they can also become the greatest strength.
As in all things, User Experience (UX) matters. It’s not just the work we do but the spirit in which we do the work, too. The experience affects the outcome. So, if we are trying to teach fish to swim, it helps to put them in the water.
For this reason, it has always been my intention to focus on people and, in addition to designing infrastructures that are resilient, scalable and secure, help create a security mindset within the culture that is not rooted in fear, doubt, uncertainty and control. It’s not as difficult as we might think to create a deep security awareness in meaningful, friendly and entertaining ways, from a place of trust. I am constantly finding new and more creatively interactive and rewarding experiences with clients as opposed to other, more traditional, and vastly more boring, methods.
So please – elevate your people. Empower them to feel competent, smart and able, rather than dumb, scared and limited through fear or control. We owe it to them. Starting twenty-plus years ago, we promised them we knew best. We displaced their responsibility onto our own shoulders, even as we were just learning this stuff for ourselves. We bungled it. We failed them. They’ve become the lazy office workers, developers and administrators who don’t worry about information security because it’s not their job. It’s someone else’s job. Right?
It’s everyone’s job. It’s each individuals job to make choices to protect themselves, their families, friends, their livelihoods and the bottom line. Had we transmitted that message sooner, the online world would look very different today.
Can we change? Can we do what needs to be done to fix this?
What’s happened so far in the first couple decades of computing cannot be undone. Treating users like children continues to force them to act like children. As a culture of humans using machines, we can put an end to limiting the amount of control we have over our own cluelessness about information security. It is up to us to educate each other and make the next generation of computing one empowered and aware, able to inform each other and make the web safer for both work and play, now and into the future.
Thanks for reading.