ECS 2019 Blog: humans are not your weakest defence; they are your greatest asset

It has become commonplace for vendors and end-user security practitioners to frame humans as the weakest security feature in an organisation’s defences against cyber attackers. Such a discourse only serves to limit user engagement, degrade organisational security culture, increase the potential of successful breaches and create a disconnect between security teams and non-IT orientated staff.


Traditionally, the starting point when addressing organisational security culture has been to identify people as the weakest link. This message is often misunderstood and leads to recipients taking it as personal criticism rather than understanding its true intention, which is to highlight the primary method of attack for criminals; hacking the human. What makes this worse is the threat of disciplinary action should they fail to adhere to company policy, which then leads to best practice being ignored, accepted standards being dismissed and the attack surface being widened as protocols are abandoned in favour of more cavalier approaches.

People are your strongest defence

Before talking to staff about their role in securing an organisations defences, it is important to understand their perception of cyber security and where it sits within their order of priorities; this helps to see the issue from their perspective rather than the starting point of the discussion being dictated. By employing the use of the Eisenhower Matrix, you can understand where orders of priority sit within the company as a whole. Otherwise known as the urgent-important matrix, the Eisenhower Matrix helps you decide on and prioritise tasks by urgency and importance, sorting out less urgent and important tasks which you should either delegate or not do at all.

Information security essentially sits within the same space as health and fitness. This means that it is regarded as non-urgent but important. Once we have the information obtained from the matrix, we can then begin to do something about it by establishing a trainer-user dialogue.

Information security culture

Once a dialogue has started, we can begin to democratise access to ensure security belongs to everyone. This means providing everyone with a voice.

One of the most successful activities is the information security culture study. Once you have the information it provides you will know where you need to prioritise and segment your trouble spots. This then means you can meaningfully measure engagement rather than just engage verbally. The combination of both ongoing dialogue and performance metrics means that you are constantly promoting the need to change.

Maintaining robust lines of communication

To ensure that campaigns are more about the conversation, in terms of scalability, you also need to include robust lines of communication.

Therefore, it is important that you spread your network of info-sec agents across the globe as much as possible. Having an agent act as a conduit between yourself and what is happening locally provides you with rich context-relevant sources. This also builds on the need to install approachable and familiar points of contacts rather than one from info-sec or IT.

Therefore, you should set up a network of globally dispersed information security agents. They work as an important conduit between you and what is happening locally. They also bring a friendly more familiar face to the subject of cyber security, rather than one from info-sec or IT.

Together, security practitioners and the wider workforce can advance the security culture, create a two-way dialogue between trainers and end users, improve cyber security awareness and improve organisational defences.

Michael Hughes