#Cybersecurity Failure is 100% a People problem.
#Cybersecurity failure is 100% a People problem. More correctly, it is a single person problem often times.
We often like to blame technology for our problems and failures. It's easy because tech can't defend itself. Tech is emotionless. It doesn't talk back. Everyone can easily gang up on and feel good about themselves because no one is being harmed emotionally.
But when we pull back the curtains and really look internally, we see that every problem, every issue, is indeed a people problem. Tech doesn't just break. Software doesn't just change function calls. Updates don't just stop happening.
Every breach is traced back to a failure of a person somewhere. And yet, we still don't empower people to prevent these breakdowns for myriads of reasons. Some are emotional. Some are business related. Some are just ignorance. But none of them had to happen if we just empowered our people.
Every breach is traced back to a failure of a person.
{Notice I am not using the frequentative noun "human" to describe people. Human degrades people. Human is a non-emotional, scientific term that offers no emotional support. It equates people with technology and services; as another cog in the system.}
Let's look at some examples. On the physical side, we are all probably guilty of holding the door open for someone including some of those locked doors. This is known as tailgating. Security personnel will say the system failed and they need to install double doors to create a "man trap" entry where only one person can enter/exit at a time. But the door worked as designed. Someone requested access, the badge reader or pin pad confirmed the access, and let that person in. It was the person who decided to violate the controls and let others in.
Failures in availability are often the result of people failures not technology. We conduct daily and weekly backups. Policy dictates a test of those backups twice a year. Often, those tests are forgotten about by people. And when disaster strikes, the inevitable happens; the backups fail. Those at fault quickly blame the corrupt backup or lack of restore space or some other deflective system. In fact, it was people who failed to test the backups. It was people who failed to ask when the backups were last tested. It was people who didn't schedule drills for that scenario.
Sadly, my favorite example of people failure occurs all too often and we see it in the headlines: "Company Breached by Outdated Software". Patch management and software updates. This is absolutely no excuse in this day and age and honestly has not been a viable excuse for the past 10 years if not 20 years. Each time, after close investigation, it comes down to people failing on some level. Most often, it is by not even applying patches and updates per manufacturer's suggestions. Or waiting unreasonable amounts of time to apply/replace software updates. The tech is there. Patch and Vulnerability Management software has matured into enterprise available options. Yet we still see people make irrational decisions based on older beliefs or risk ignorance.
So, how do we fix our people? The first step is acknowledging we have a people problem even if you don't think you do. We all do. I don't care if you are one of the best operating organizations on the planet, you need to focus on your people. They are your most valuable asset while potentially the easiest flaw you have. The nice part of this problem is it is an easy and relatively cheap fix.
They are your most valuable asset while potentially the easiest flaw you have.
I love mistakes. I embrace mistakes. Sure, I want my teams to not make them and yet, they still happen. That is OK though because my teams have a directive to rectify and share their mistakes. Let's all learn from one person's mistake so we all don't make the same mistake. I encourage moving forward with reasonable awareness and impacts of the situation. That allows teams to speed up and slow down based on their evaluation of the situation. This also instills trust in people.
People require trust to be top performers. For example, bold salespeople, those with the big personalities, don't sit and wait for trust. They assume they have it until told otherwise. Others will wait to hear they have it. Both individuals will reach the same goal eventually. One just takes more positive reinforcement while the other sometimes needs to be reigned in.
Cybersecurity is no different. Those of us in management and leadership roles need to trust our staff and empower them to accomplish their tasks. The military uses Commander's Intent wherein the Generals tell the unit leads the goals of the mission. The how is left up to the local unit leaders with trust and empowerment from the Generals. "Captain, this is your objective: take that hill by 2230 hours." There is no specific instructions on teams or equipment to use. That General has to give orders to 10 other Captains. They don't have time to manage each and every operation.
One thing I have noticed is that this type people failure environment can exist in organizations of all sizes. From teams of 100s to teams of 5. Size is not a factor in it rearing it's ugly head.
Finally, there is a sweat spot for human trust where you reach the point of diminishing gains. It isn't the same for every organization nor is there a magical formula to calculate it. Each team is different as people come with all sorts of unique personalities. Only time and experience can reveal how far down you can push the onus for engaging.
Pull back your covers. Take down the blinds. Do whatever you have to do to create an environment where introspection can live in your organization. Remove blame and learn from everyone regardless of their position. The organization will grow far faster and stronger as a result.
///Chris\\\
CXOGLOBAL100 Executive Recruitment & IT Staffing. Help mitigate Staffing pain points, bottlenecks. Delivering the best, brightest business Technology C-Suite/Critical Thinkers inside the Fortune based/enterprise markets.
3yChris Gebhardt IT all comes down to the Human element.
Director of Information Technology | Head of Technology | Head of IT | VP Enterprise Risk Management | Virtual CIO | Startup & Early Growth Companies | Hyper Growth, Cybersecurity | IT Operations
3yGood article. “Yet we still see people make irrational decisions based on older beliefs or risk ignorance.” Train the users of the systems not to hold the door open and trust our team to secure the system. Both require clearly stating the objective. Good leadership lesson.
Project Manager | Leading Multinational Teams With Succinct Communication and Military-Grade Agility & Teamwork
3yGreat analogy with "Commander's Intent" as I've done best when I have been given clear, broad intent with a specific mission or goal. One of my favorite quotes along this line is from GEN Patton, "Never tell people how to do things. Tell them what to do and they will surprise you with their ingenuity.” With the trust & empowerment you mention Chris, folks will surprise themselves and those around them continuously.