January 26

People are People

By Ron Simmonspeople

During the last few weeks I had the opportunity to meet and speak with a very diverse group of people. In the process, I learned some important lessons. When it comes to lack of security there are many varying opinions on the subject. Some people suggest “people are stupid,” while others say “there is no accountability or ownership,” and still some say it is a lack of education or knowledge, then there is the “oh well, I will accept that risk”. The challenge is, knowing which one you are dealing with at that moment in time and how to best resolve the issue and move forward in a secure low risk environment.

People are stupid – (not a chance)

I am a firm believer that people always mean well. However, some of them can have warped definitions of meaning well. This is where education, responsibility and accountability come into play. If there definitions are “off” then it is up to a mentor, friend, co-worker, Webster’s, or whoever to help and assist them in changing their paradigm.

Lack of Education/Knowledge

Easy to work with, as long as the person you are working with understands this. Hopefully you have chosen a person for the job that knows their limits and will stand up and say “I don’t know”. If not, one of the best ways to work around this is the power of suggestion. Simple…..


There is too much accountability running around today. For every problem it seems that the government(s) needs to put down some law that requires accountability. Had it worked so far – I think NOT. Let’s try moving this paradigm from accountability to enforcement of the laws that are already on file. It is not always understood that it is the spirit of the law that matters, not what is typed on the paper. I have even seen government auditors fail in this. I will leave it to the legal peeps to fight over this one.

Risk Acceptors – Nothing but $$$$$$

These are the types of decision makers that should be smacked upside the head. It doesn’t matter how much the $$ is, it’s just not the right thing to do. However I will admit that some risks, ones that do not affect other lives, can be acceptable.

The point is simple 

We, as a diverse group of professionals, need to look at each situation and attempt to change our focus from blame to responsibility. There is no silver bullet to solve these situations. Your path can only be determined by you — taking into consideration the situation, the people responsible and accountable for the data. What it all boils down to is people and change… plain and simple.

I know I have missed a few of the “reasons” that are used when moving a production system into production with “risks”, but hopefully this short list can stir up some more conversation about this topic. What do you think?


You may also like

Are you using frameworks properly?

Leadership and communication are actually layers, not levels

  1. Ron,
    Good post.
    People are emotional beings. It’s what separates us from other animals. We often make decisions on our emotions; including risk decisions.
    These conclusions point out the fact that Security Professionals need to study human psychology along with computer science.

    The “other” Ron

Comments are closed.
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!