Related Video:
There’s a pervasive belief that security is everyone’s responsibility. It's a noble idea, but it often falls short in practice. My experience as a system administrator and cybersecurity professional has shown me that expecting everyone in an organization to prioritize security is unrealistic and potentially dangerous.
The Reality of Employee Priorities
Most employees, whether accountants, HR professionals, or custodians, have one primary focus: their jobs. They care about completing their tasks efficiently and correctly, often under tight deadlines. Unless explicitly part of their job description, security isn't a priority for them. Their main concern is their paycheck, and security is an additional burden.
As a system administrator, I saw this firsthand. Users would take shortcuts to make their jobs easier, often ignoring security protocols. They didn’t intentionally compromise security; it was simply not their primary concern.
The Ineffectiveness of Relying on End Users
Expecting end users to act securely is like expecting a child never to make a mistake. It's an unrealistic expectation that sets them up for failure. Just as children need a safe environment to explore without serious harm, employees need a work environment where occasional security lapses don’t lead to catastrophic breaches.
For instance, during my time troubleshooting and fixing thousands of issues, I encountered countless scenarios where users would openly admit that they "aren't very good with this computer stuff. " They were focused on their primary tasks, and learning to work and operate a computer effectively wasn't their job in their view. They relied on me to fix every minor issue and even expected me to teach them to use a computer when there wasn't even an issue. This behavior also applies to cybersecurity. End users don't have the time or patience to be cyber-savvy. Another example I frequently see is when discussing cybersecurity with non-cybersecurity professionals. I often get a similar response: "I should care more about this stuff" or "I don't care if a hacker gets me they can just have it." The story's moral is that cybersecurity is almost always inconvenient, and the average computer user almost never wants to sacrifice their convenience for security, which is often the pitfall of cybersecurity.
The Role of IT and Security Professionals
The security burden should primarily fall on IT and security professionals, not end users. Our job is to design systems and policies that account for human error and minimize its impact. This means creating robust security protocols that can withstand occasional lapses in judgment.
As a "grey hat sysadmin," I aimed to ensure the network functioned smoothly while balancing security needs. Sometimes, this meant bending security rules to keep users happy and productive. It was a delicate balance, but it underscored a critical point: the effectiveness of security measures shouldn’t depend on perfect user behavior.
Building a Secure Environment
To achieve a secure environment, we must focus on making secure practices seamless and unobtrusive. Here are a few strategies:
Automate Security Measures: Use automated systems to enforce security protocols. This reduces the reliance on users to make the right decisions every time.
User-Friendly Security: Design security measures that integrate smoothly into daily workflows. Users are more likely to comply if security feels like a natural part of the job.
Education and Training: Regular, engaging training sessions can help users understand the importance of security. However, training should complement automated measures, not replace them.
Expect and Mitigate Mistakes: Design systems with the expectation that users will make mistakes. Implement controls that limit the damage caused by these errors.
Shifting the Responsibility
Security professionals must accept that they are largely responsible for maintaining a secure network. Users should be educated and aware, but they should not be the front line of defense. This approach enhances security and allows employees to focus on their primary roles without the added stress of being security experts.
In conclusion, while it's nice to say that security is everyone’s responsibility, the reality is that it’s a shared responsibility with a greater emphasis on those trained to handle it. By acknowledging this and adjusting our strategies accordingly, we can create more secure and efficient work environments. Let's build systems that protect our networks, anticipating human error and mitigating its impact rather than expecting perfection from every user.