James Bore

The biggest thing that people forget about security is that on a very fundamental level it is about people.

You will sometimes hear statements like “people are the weakest link,” or “your strongest defense,” or a myriad of other sayings. What all of these tend to overlook is that, if we consider security as the art and science of protecting an asset from a threat, ultimately the only threat out there is more people (excluding aliens), and the only assets we are looking to protect are yet more people.

You’ll hear people, processes, and technology bandied around a lot, and it’s important to view people as the most important of those three. If your processes hinder the people who belong in your asset group, then your assets will find workarounds and become threats. If your processes aid those in your threats group, then you are helping them to target your assets.

Everything that you do in security you should be able to associate directly to one of two goals:

• Empowering your asset people to achieve their aims

• Disempowering your threat people

When you start to look at security through this lens, the people-focused lens, things change. Constraints that are placed because they are considered best practice often become unnecessary, while things that might be overlooked (updating your password policy to passphrases with a good communications ...