Flavius Plesu, Founder and CEO at OutThink, offers his insights on the evolution of cybersecurity and advocates for reframing the approach to ‘(not) fixing’ the user in the blog below:
Back in 2016, world renowned security expert Bruce Schneier wrote an article titled “Security Design: Stop Trying to Fix the User” which caught my attention. While Bruce’s insights are always enlightening, I find myself diverging from his viewpoint on this occasion – I believe it’s healthy to have a respectful disagreement.
Bruce’s main contention is that we should abandon the practice of cybersecurity education and instead depend entirely on impeccable technology.
However, I beg to differ, and here are my reasons:
- Today’s Reality: In large, complex organizations, the idea of flawless technical security is more of an utopia than a reality. While we may strive towards this ideal, today the human element is a significant part of both the attack surface and the solution.
- Detection and Reporting: Aware employees can often be the best detection mechanism. Training people to recognize and respond to threats is just as important as preventing them. The best security teams we see track KPIs such as “meantime to detection & reporting”.
- Continuous Learning: It’s a common misconception that hackers primarily brute force their way into our IT systems; in reality, they often gain access simply by persuading users to willingly share their credentials. As such, ongoing education about the latest threats is crucial.
- AI-Enabled Threats (and Defenses): Cybercriminals are now leveraging AI to bypass technical security measures and reach users with sophisticated social engineering attacks. There’s an opportunity to harness the same technology to educate people and equip them with the skills to identify and counter such threats.
- Human-Centric Security: Our Chief Scientific Advisor, Professor M. Angela Sasse, advocates for human-centric security. Removing friction, making security simpler and more intuitive for people can lead to more secure behaviours.
According to the 2023 Verizon Data Breach Investigation Report, today 74% of all breaches involve the human element.
While the role of technology in cybersecurity is undeniable, the value of investing in our human defenses cannot be overstated. It’s not just a priority, but a strategic move that can yield significant ROI.
In today’s world, individuals across all age groups depend on digital platforms / services for various aspects of life – from work and education to health and wealth management. This reality not only underscores the importance of cybersecurity but also elevates it to a matter of social responsibility.
Our mission at OutThink is to secure digital life everywhere – we assist security teams in embracing a human-centric approach to security, and empower people with the digital skills they need to thrive in the 21st century.
