March 10

Breach is a human problem, but people are not the problem

I’ve been researching and considering the challenge of protecting information – specifically centered on breaches – for a while now. I’ve noticed an interesting trend where the focus is turning toward human factors – with the assertion that people are the problem.

I see it differently. Regardless of whether the growing trend of breach rises to the level of epidemic or not – breach is only a symptom.

Progress comes from treating the cause, not the symptom. While the quick assessment suggests breach is a technology problem, waiting for a technology solution, this is not entirely true.
We face a human problem – where people are not the problem. The true problem is how people have been unintentionally and systematically disconnected from the consequences of their actions. This has happened for so long that they no longer accept responsibility or are held accountable. This disconnect impacts everything in the organization and needs to be properly addressed to move forward.

To solve the breach epidemic and the broader and more pressing need to protect information requires a new approach. We literally have to change the way people think about and protect information. We must adopt a the Strategy to Protect Information. This strategy is shared in the book and guided to success in the Protecting Information Program (launched today). I have some video and audio of the explanation, and I’ll share it in the coming days — as well as on the April Expedition of the Campaign Across America.

It’s time for a change that makes it easier for others (and us) to do their jobs. Your thoughts?

(and if you can’t wait, send me a note or give me a call – I’ll share what I’ve discovered)


You may also like

Are you using frameworks properly?

Leadership and communication are actually layers, not levels

  1. I could not agree more with your statement of users being “disconnected from the consequences of their actions.” One organization I know takes two actions to address this. First, the names and heads of departments whose staff regularly lose laptops or storage devices, or who repeatedly download malware are publicized. You don’t want your department to be on the list! Secondly (and this is still being finalized), employees’ annual performance review will include repeated security breaches. Lose your laptop or download a virus a few times, and you will feel it in your pocketbook. Both link behavior and consequences directly to individuals and departments.

  2. Great examples. Interestingly, though, both strike me as negative. Negative motivation is 10x more powerful than positive, but it may bring some unintended consequences, too. I’ll write more about that next week.

Comments are closed.
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!