We were wrong. Humans are NOT “security assets”.
First, the industry referred to people as the “weakest link” in cybersecurity. Because you know how those pesky things click on every link they’re sent.
Then they became the “strongest asset” because the industry realized that technological security is not enough. And that the problem was with the training, not the people.
Now, we’re telling you that they’re neither of those things.
Sorry.
To be clear, we’re not saying that people are the weakest link. Or that people aren’t an asset. We’re just saying that both of those terms are … problematic. We take issue with the former for obvious reasons. But we have a new argument against the latter.
We’ll do our best to summarize. But it was best explained during our webinar, ‘Security awareness is dead (or dying)’ by Tide’s Security Culture & Awareness Analyst, Shaketa Welch.
If you missed it, don’t sweat it, you can watch it on demand here, for free!
Alright, so here it goes…
People are just people
Nothing more. Nothing less. Referring to people as “assets” may seem like a compliment, but it’s actually a little dehumanizing.
And, according to Shaketa, it’s not surprising that the security industry doesn’t see the problem, because there’s generally a lack of “human-to-human touch”. In other words, it’s been the norm to treat people like another cog in the machine, and not like … wait for it … people.
It’s the reason security professionals use complicated language, fearmonger, generally say things that put people off, and assign the kind of security awareness training that makes people want to call in sick.
So, this is what it comes down to: security professionals just aren’t doing enough to reach people. But most won’t admit it. Instead, they say things like “people just don’t care about security”. And that may be true. But there’s more to it than that.
If people weren’t receptive to security messaging, they wouldn’t lock their cars or hide their pin codes at the ATM. The right messaging is the messaging that changes behavior and gets people to take action.
Unfortunately, most professionals don’t have the confidence to push boundaries and go against the grain. But the tide is changing. Traditional security awareness is dying, and giving way to solutions that actually put humans (and human behavior) first.
Want to know more about the death of security awareness, and how you can move on? Watch our free security awareness webinar