It’s easy to think of cybersecurity as a coldly logical space where the deterministic management of machines and software creates a binary reality. Do the right thing (for values of “right” that equate to compliance with any of a myriad of frameworks), and security ensues. Do the wrong thing, which is often perceived as a failure to adhere to one or more of the scores of controls (FedRAMP has 421 controls for high-level systems, NIST 800-53 has more than 1,000), and insecurity follows.
While it’s easier, and perhaps comforting, to think of security as a binary proposition, this perspective omits a fundamental, and far more complex variable in the security equation. People, users, wetware, call them what you will, they are both the rationale for every security product ever built and every security measure ever taken. As an industry, we often see people as carbon-based-bipedal-Terran security threats, but this view is born of our own hubris. Security solutions are intended to be enablers, allowing organizations and individuals to get on, safely, with the business of the day. People – users – wetware – are the reason the cybersecurity industry exists.
However, for better or worse, this inconvenient fact is often overlooked in product design and security program implementation. As a result, in pursuit of ever loftier security goals, the user experience is distinctly an also-ran. Indeed, the trope “security is inversely proportional to convenience” made its appearance as far back as the Unix System Administration Handbook in 1989. Consequently, users often feel that they are forced into the unfortunate position of having to choose between being able to do their jobs in a timely and effective manner or complying with the organization’s security regime. The result is that users often undermine security measures by employing unauthorized (or “shadow”), personal IT systems and tools.
This state of affairs evolved because security tooling and methodologies developed in a manner parallel to and siloed from the technologies that enable users and organizations to do the jobs for which they were hired and created, and were then grafted on, resulting in an uncomfortable and often unnatural pairing. Fortunately, as CW3 Flint habitually noted (IYKYK), knowing is half the battle. Just as fortunately, not only do we (as an industry) know that the problem exists, but the tools to address the problem also exist.
It’s time for a new generation of security technologies. These technologies will accelerate job and task activities instead of inducing workplace performance drag. Using automation, they will reduce or eliminate burdens placed by security regimes on users. This concept of cybersecurity technology 2.0 (or 3.0, depending on how you look at it) ends the adversarial relationship between information security and users and enables users to become security champions.
Build it right, America.