Often described in terms of engineering solutions, cybersecurity is far from a technical problem. It is a series a complex risk trade-offs. Just like health, safety and the environment. Yes there are tools and technologies that can and should be developed. But each one of these tools are developed by humans, used by humans and managed by humans. Plus each tool that gets introduced then influences human behavior often in unforeseen ways. This makes cybersecurity a complex adaptive system that is part of an even more complex adaptive system — the Internet itself.
I entirely agree that the human element is critical, and constantly overlooked, especially if someone will sell am IT solution. However, as a human interface specialist I have to say that budget does not, in my experience, follow this assertion. Too often I find companies want an effective solution but NEED an IT solution, preferably involving some CBT that gives instant statistics that satisfy regulatory bodies.
Wendy thanks so much for your great comment. Yes I should have added govern along with manage, use and develop. Current information system risk management regimes are predicated on compliance to standards that do not adequately account for complex risk, especially on the human side. IT products are often built and sold to help organizations comply with pre-set standards that may not adequately capture the risk an organization is facing from both internal and external threats. The products themselves may function perfectly well but the compliance regimes themselves are flawed. At the same time, these products in practice may be ill-configured or used poorly (ignored, too many false positives). This is the essence of socio-technical risk.
In the spirit of Cyber active defense and reducing attack surfaces, an organization with data and information it cannot afford to lose should not put it on the Internet.
A new opportunity value proposition is needed for those who genuinely cannot afford to lose their data and information and cannot offer 100% protection. Simply establishing a known degree of assurance is insufficient to earn a label of trusted. Instead we need to drive adversary dwell time to zero. One way to escape harm is to vacate the space. And so the Zero Tolerance Policy of not using the Internet is called for in the situation so defined.
Owing to the sharpened understanding of Cyber situation awareness and vulnerability thrust upon us by the Office of Personnel Management (OPM) and the loss of 21.9 million federal personnel records with highly sensitive data, it is increasingly clear that there are no Cyber experts and no Cyber protections that offer 100% assurance of protection. Even those measures that offer some measure of protection like three factor authentication and data encryption are not easily adopted even by organizations whose missions scream out for their use.