Why Security Is A People Problem?


In recent years, some of the largest data breaches have been a direct result of human error, security is a people problem. The consequences of these events are often unintended losses that are caused by people who mistakenly activate malware by opening unknown emails or clicking on malicious links. These instances are becoming more commonplace.  Human ignorance and error have become an easy target for cybercriminals to exploit, and in turn, creates the biggest security blinds for organizations at large.

In addition to that, the absence of cybersecurity staff, an increase in risk exposure because of human error, and the rapidly shifting technological landscape are turning infrastructure, data, and applications into a people problem. In order to overcome these challenges, organizations must transform people into their biggest security assets. Let’s take a look at how security has transformed into a people problem and, what factors can play a role in pushing the security industry towards a better future. 

Security Becomes a ‘People Problem’

For years, people have been considered the weakest link in IT security. This perception prevails chiefly because there is a lack of adequate security practices and risk awareness. The people problem is further intensified due to the risks that exist because of a scarcity of technical expertise in the organisation, and the risks posed from senior business stakeholders, that are often responsible for weak decision-making concerning budgets and strategies.

Surprisingly, the rise in the dearth of technical skills contradicts the overall reduction in inexperienced human resources, that is witnessed usually in the market. It implies that as organizations grow, the lack of skilled experts reduces. However, this principle doesn’t see to work particularly well for the more hands-on technical disciplines.

Accessibility and Usability

A specific kind of inaction gets created as a result of usability patterns that are incorporated into popular software, including OS. It makes it easier for people to gravitate towards the most secured options as this software are designed to make users organically transition smoothly from one app to another. However, these user-friendly design models inevitably end up discouraging people to be wary of online applications/websites or at least be a little bit cautious.

Cyber Security Skills

Organizations are increasingly having a difficult time hiring and retaining people in cybersecurity roles. It is partly due to some outdated, preconceived notions employers tend to harbour while hiring for cybersecurity positions in their organizations.  For instance, according to a misconception, people applying for cybersecurity positions are expected to be mathematical and coding geniuses who supposedly became an expert the moment they touched the keyboard. As misguided as this perception is, it does not stop employers from being prejudiced against hiring newcomers or people from different fields of study into cybersecurity roles.

Everyone is not on the same level

In several instances, we see people struggling against the policies of their own IT department, that is bent on treating the job roles of all employees as one and the same. It is understandable that this becomes extremely frustrating and even upsetting for people in certain positions. Asking people to shape their entire life or working pattern to fit a security policy becomes unrealistic. As a result, it leads to reduced productivity and employee burnout.

Risky Choices

Apart from providing annual security and phishing training to their staff,  organisations continue to make risky choices, probably because they don’t see themselves as an integral part of the security operation, considering it as a separate entity altogether. It is also since the currently prevalent security strategies are profoundly complex and sometimes become quite difficult to manage.

Many organizations provide as much freedom as possible to their employees and grant them control over the devices that they use. But at the same time, organizations must also hold people responsible for the consequences of their actions. A trust-based, people-first model distributes the responsibility to separate business teams and units, enabling them to make security decisions based upon the unique risks of each group.  While providing freedom and latitude, organisations must also ensure that teams are aware that they would be held accountable, for instance, if there is a security lapse on their part.

As each team has its unique security requirements, every team in the organisation must take this seriously. If some employees are refused things, that others are provided with, such as cloud-based file sharing, policies, and so on, it can lead to reduced morale and animosity among the employees. People, therefore, are required to explain the role each group plays in maintaining the overall security of the company.

How To Solve Security As A People Problem?

It is clear from the above, that security may not always turn out to be a technology problem, rather it may end-up becoming a more process or people-based problem. To tackle these weak links, it is essential to seriously consider the prospect of compulsory training at all levels and in the organization.

Make Security Training As a Part Of Company

First things first, it’s important to educate people on how to identify and refrain from clicking on potential malware. Also, they must understand how and when to inform their company if they encounter any suspicious actions. By doing so, they will allow the company to take immediate actions and work upon those suspicious findings. Spreading awareness and providing simple suggestions such as, not clicking on unknown links or refusing to entertain or oblige unknown requests, will help avoid cyberattacks. Moreover, it will also enable the employees to access processes and channels designed to assure timely assistance when something goes wrong.

Involvement Of Security And Business Leaders

Business and security leaders must work together to operationalize security. The major cause of security issues is the lack of capabilities that lead to poor security controls or operational maturity. Operationalizing security is the involvement of upgrading techniques based on a comprehensive view of risks. When security becomes a strategic risk, then there is a need to opt for high-security operations by making it a standardized business process. The leaders should regularly assess and take actions to make sure that IT security resources are deployed to avoid undesirable risks.

Give Users The Security Tools They Need

Cloud applications are infinitely useful, but it can also open doors to other security threats. If users don’t like what the company is providing them, they might find another free app. What seems helpful on the surface, could be extremely risky for the users in the long run. Therefore, the company should ask its employees about their requirements and what they are using now so that IT security staff can find options that have been reviewed for security.


There are plenty of weak links in the processes and systems that we use. Fortunately, there are also several different practices that organizations can employ to minimize the security lapses created by people. Rather than turning naturally towards technology every time to find the answers, or considering it as the first and foremost option, we must remember that security at its core, is a people problem and therefore, we must take necessary steps to educate and train people to better protect themselves against cyberthreats.

Download our Security Governance as a Service white Paper Download

Matt is a global CISO with 20+ Years of Directing International Security Programmes for Multi-Billion Pound Organisations. With a passion for security and a cybersecurity evangelist.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.