Why people are not the problem in security and where to look (hint: grab a mirror)

Do not put your faith in what statistics say until you have carefully considered what they do not say.  ~William W. Watt

Over the last few years, a series of reports, studies, and endless articles suggest the biggest challenge in security is people. Whether external attackers taking advantage of individuals, insider mistakes or even insider espionage, the overly simple and false conclusion is that we face a “people problem.”

Convenient, but not true.

Except, of course, when it happens to be true (which isn’t often).

Enter the Human Paradox

Early into the research and development of  Into the Breach, I realized that a security breach (regardless of the definition) is only a symptom. As a result, a focus on preventing security breaches creates a losing situation where valuable time, money and other resources are wasted — only to leave the real challenge untouched. The real challenge is The Human Paradox (update: check out the human paradox gap for an applied model)

The Human Paradox: individuals have been systematically (albeit unintentionally) disconnected from the consequences of their actions. This results in a challenge where people no longer take responsibility and are nearly impossible to hold accountable.

If people aren’t the problem, what is?

When introducing the human paradox in the book, I wrote that we face a people problem. I regret my poor choice of words. We face a human paradox where people are not the problem.

The key to understanding the paradox is the unintentional and systematic disconnection of people from the consequences of their actions. Coining current challenges as a “people problem” doesn’t fully explain the situation or account for the potential individuals represent.

This naturally raises the question, “who disconnected people from the consequences of their actions?”

Short answer: we (security professionals) did.

The good news is it wasn’t intentional (mostly).

The consequences of short-term gain, long-term pain

“Short-term gain, long-term pain,”  happens when actions designed to quickly diffuse a situation create more complicated problems down the road. The quick gain is traded for long-term pain.

In security, this means actions taken over the last decade for short-term gain disconnected people from the consequences of their actions. Now we’re experiencing the long-term pain of short-term gains most have already forgotten about.

In fairness, the rapid pace of change in technology and security over the last decade or so makes it difficult for professionals to keep up with solutions and potential consequences. Even more complicated, then, is understanding, breaking down, and explaining the range of outcomes a way decision makers (without the same security background ) easily understand.

The growing importance of security was met with complicated solutions, shrinking budgets, and tight deadlines. Under stress, under fire, and lacking the skills of effective communication, the typical response to pushback and questions was to suggest  to people that “they wouldn’t understand.” The path of short-term gain was to take de facto responsibility for the decision — and resulting consequences. However, this also meant disconnecting people from the consequences of their actions.

We trained people that security is hard, complex, and something they are not responsible for.

Now the situation is changing and we realize we depend on people. People we disconnected and trained to abdicate responsibility to us. Odd, then, that we lament their lack of interest, understanding, and action. Plus, it turns out that it’s a bit harder than it seems to understand and effectively communicate complex challenges — especially when explaining them in the context of business value.

Before “blaming and shaming” the people we serve, we need to take a long, hard look in the mirror.

We played a role in creating the pain we experience.

Recognize it, learn from it, then move on.

What comes next? The path forward

To get people to change means we have to change first. We have to shift the way we connect with people. We have to demonstrate business value and explain ourselves using the art and science of effective communication.

Ultimately, we have to bridge the Human Paradox Gap.

We need to reconnect people with the consequences of their actions. Easier said than done, this means resisting the urge to just inflict pain and punish “bad” decisions.

So – tell them the consequences and we’re all set, right?

Well, it’s not that easy.

We need to change the way we think, change the way we act and work to cultivate a new culture to address how we manage risk, information and the relationships with the people we serve.

We need more deliberate dialogue: conversation with a purpose that meets people where they are and works in a way that allows everyone to learn. When we enter the conversation as equals, each with a valid set of experiences – and a desire to reach common understanding, something magical happens.

Best part: no new investment in technology is needed. This costs time. It requires being present. For some, this is simple, easy and obvious. For others, this is a challenge and will be a rough start.

Effective communication is a process, not a product. It’s time to bridge the gap, repair the divide and change the way we help people realize the consequences of actions. By fostering healthy relationships based on trust and mutual understanding, we all win.

We have a lot of work to do.

I’m working on models and methods to ease the process. Want to get a head start, let’s talk!