August 31


The media is wrong about security breaches – the answer is not technology and legislation

This was written in 2006 before the launch of Into the Breach, the book by Michael Santarcangelo that examines and explains the underlying cause of the breaches as the human paradox. The book offers simple, but powerful, steps any person in any organization can take to successfully engage, empower and enable people to take responsibility. New research (check out this blog and the learning library) offer insights and strategies to harness the human side of security.


After a successful client training – focused on how to help people address risk more effectively, I came across these two related articles, one in eWeek and the other in Information Week – and both mistakenly suggest we are helpless without technology and legislation!

IT Pros Say They Can’t Stop Data Breaches

Research: Privacy, Security Problems Alarming But Fixable

With the rising number of breaches reported, what is more alarming is the number purposefully unreported, or worse, unnoticed!

In the way of rising breaches, new “research” was announced today that is being reported as “IT professionals” are or feel helpless to do anything to prevent security breaches. Whether the conclusions are coming from the researchers themselves, or reporters reaching to make sense of the findings, the suggestion is that the current complexity of solutions and lack of technology are to blame.

In short, we need more technology and more legislation.

The lapses in security are a result of the human paradox gap (added in 2011: listen to the audio here (The Human Paradox Gap Audio Download). When people are disconnected from the consequences of their actions, they take no responsibility as we are unable to hold them accountable. As a result, people take actions — often with good intent — we deem “stupid” and irresponsible… and we feel powerless to do anything about it.

Seems to me that we are in an age where we want DEMAND instant gratification. At the same time, we seem to have gotten ourselves comfortable with finger-pointing and passing the buck. While the “Staples Easy Button” is funny and a great marketing idea, we simply don’t have one for security.Security/Assurance is a process, not a product.

The challenge is that more technology and more legislation only mask the underlying problem. More of either will only allow for a bigger problem to emerge.

The solution is (re)connecting people to the consequences of their actions — with the structure, substance and support to assess intention and impact (check out the learning library for more insights on the Human Paradox Gap).

I think this is a challenging time when we require bold leadership to foster that return. Success requires at least three steps:
1. Give people permission to care, to take responsibility, to make a difference.
2. Enter into a dialogue of empowerment. Empowerment is not a one-way communication; empowerment is when an individual does the right thing, at the right time, for the right reason(s), when no one is watching. 
3. We have to enable people to succeed, based on the effectiveness of our empowerment dialogue.
I will keep exploring the above points and will spend more time exploring them through this blog in the future. If you want to listen to me discuss this, I talked about it on Security Catalyst Episode 32. As I announced just this week, I am investing time and energy working on developing Security 2.0 – which is how I believe we have to focus on these issues to move forward. If we continue to believe security is complex and tied to technology, we doom ourselves to failure. We have to realize the role people play in the solution and work diligently to design and enact solutions that start to actually make security part of the fabric.
This is not about balance. This is about integration.

Security is and should be a mindset, a way of acting and thinking to make a difference. In my experience, many of our problems, and therefore our solutions, reside in people, the way we act, the way we think, and the way we communicate.

See, I think the result of many of the data breaches ( – this is an impressive listing and worth your time) is carelessness, lack of responsibility and people not taking the required (and fairly simple) actions. Remember when we were taught to treat other’s things as if they were our own? What ever happened to that concept? I bet 80% of these breaches could have been prevented if people simply acted as if they were protecting their own information. And perhaps we failed by not giving them permission to take responsibility.
I have seen this first hand – both the problem, but more positively the solution. I have been working with people around the country all year to think differently about security – and it is making a measurable difference!
Now, as I continue to develop and roll out Effective Assurance in IT Operations, we engage this issue regularly. This experience was designed in an entirely different way from the ground up – to allow people time to engage, to think and to practice acting differently. By learning how to protect ourselves, by thinking differently – we discover that security is not scary, complex or and impossible goal.
One of the hallmarks of this course is the invitation to be present and to think. I can (and will) write more about those in the future, but essentially – imagine having a few days to engage, think, take responsibility and re-learn how you can make a difference based on what you know, think and yes, feel.

This is my area of focus. I spend time working with good people and good organizations to successfully address these issues.

I have proof this approach works.

While reports “claiming we’re all helpless”  help sell newspapers (and the digital equivalent of eyeballs), I don’t buy it. And neither should you.



You may also like

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Tired of feeling defeated on Friday?

Where the stack of work to get done is bigger than what got finished. You dread next week before the weekend even begins.

It doesn’t have to be this way.