Just about everyone experiences a point of transition at some point in their lives, a time when lots of things change very quickly. Things can get better or they can get worse or they can simply get… different. The only constant is the realization that there’s no going back. 2015 has been like that for me. Things got worse, things got better, and things got different. And though most of my changes have been happy ones, it’s still scary and the initial steps are usually the hardest. The first day in the new job, those first few pages in the new chapter, that first post. You hesitate even as you keep telling yourself to move. And then, suddenly, you’re in motion…
I created Security is People! as a companion to my book, People-Centric Security, which is a few weeks away from publication as I write this. The blog’s title is pretty self-explanatory. Throughout my career, security has been sold as a people, process, and technology challenge. But two decades of experience has convinced me that the people-process-technology triptych enjoys little more than lip service in our industry. Instead, the priorities are reversed. Information security today is most often discussed and managed as a technology challenge. Process has its place, but usually as something that supplements (until it can be automated away by) technology. Human beings, when the security industry considers them at all, are traditionally characterized as something between a nuisance and an outright threat. People, by virtue of maliciousness or ignorance or both, are but accidents (and incidents) waiting to happen.
I want to contest this status quo, to give people their proper place in cybersecurity – center stage, sharing the spotlight with the products and frameworks that have hogged it for too long. I came to InfoSec by way of espionage, not IT. As a HUMINT operations officer, security was always people. It still is. People make up the single most effective enterprise security infrastructure you can have. If you throw all your technology products out the window tonight, the people who show up for work tomorrow morning will still constitute an organization. That’s what an organization is: people. But if you throw all of them into the street, then all you’ll have left is a vast collection of metal and plastic, humming and blinking and without purpose. It doesn’t matter what something does – if there’s no one to use it, it’s useless.
Security is People! is an experiment. It won’t always read like a security blog. There are plenty of good ones out there, if you want the latest on technology trends or deconstructions of vulns and attacks. I guess you could say I’m chasing cybersecurity’s human interest stories. I kind of like that, actually. I’ll also use this blog to promote ideas I think the security industry could benefit from adopting – theories, methods, techniques, and research from other disciplines that support a more people-centric mindset. Stuff like qualitative inquiry, human and organizational information behaviors, and of course plenty of culture. Because why we do is usually more fascinating than what we do.
The mind wanders.