If you look at the root of most network security-related problems, they typically come with hair on top. Not a year goes by where study after study shows that humans are often the major contributing factor in security breaches, both known and unknown (i.e. yet to be discovered). In a world where it’s ultra-convenient to blame inanimate objects for society’s woes, what’s inevitably behind the scenes of the oft-cited “computer glitch”? People, of course.
Here are the top reasons why I believe people are the number one threat to the security of your network and why I don’t envy CISOs, information security managers, and others in charge:
- Network users are going to take the path of least resistance to complete their work, so if there are loopholes in your network security, your users are going to find and exploit them. And it’s not just ignorance or innocent fat-fingering of the keyboard. All it takes for someone to do something bad on your network is boredom, curiosity, or trouble at home. Suddenly your trusted users are anything but that.
- Network security is still viewed as IT’s problem. Your users are perfectly selfish, as all humans are. They are going to do what they do on the network for their reasons, not yours. They know you’ll be there to clean things up.
- IT staff, vendors, and service providers can work against you by under-implementing the technologies that you’re paying for. I see many situations where security controls are not being used in the way that they were designed or could be used. I think it’s rare to see any specific network security technology that’s fully implemented and utilized the way it was intended. Sometimes I even find that the systems and data that security controls are supposed to protect are bypassing them altogether.
- Those you report to such as the CIO, your own peers, and your subordinates are often working against you. I see people creating network complexity, or at least leaving it in place, for their own benefit. Be it job security, laziness, or a specific agenda, it creates a tough environment for even the best security professionals.
- Business leaders often sign-off on business deals that effectively go against what you’re trying to accomplish with security. In many situations, certain guarantees are being made on your behalf through contracts, policies, and the like without management or legal knowing what they’re committing to from a security perspective, and without you being part of the conversation.
The façade of security policies, procedures, and standards serves to further perpetuate these issues. Again, I don’t envy you!
All in all, you know what’s missing? Willingness. It’s willingness on end users to participate and do what they know is right. It’s willingness on the part of IT and security to see these issues as they are. It’s willingness on the part of executive management to do something about them.
The late personal achievement expert, Jim Rohn, once said Failure is not a single cataclysmic event. You don’t fail overnight. Instead, failure is a few errors in judgment, repeated every day. Unless and until the people-related security challenges are brought to the forefront and resolved to the best of everyone’s abilities, we’ll be signing the same old security song. In the end, these are political and cultural issues that’ll never be completely solved. But they can be addressed and minimized. How important is it to you?
Subscribe to Blog
Receive notifications of new posts by email.