Читать книгу The Security Culture Playbook - Perry Carpenter - Страница 19

At this point, you might be thinking something like, “But I bet most of those organizations that were breached weren't totally ignoring the human side of things. Surely they were doing some form of awareness training. So what gives? Doesn't that mean that focusing on humans hasn't been effective?”

That's a great question.

The answer isn't that focusing on humans has been ineffective; what's ineffective are the traditional methods of security awareness and training. Traditional awareness programs focused on sending people information about current threats, security best practices, and policy expectations, and then simply expecting people to magically do the right thing. Every parent or teacher knows that simply exposing people to information and expectations doesn't change behavior, but somehow the security industry duped itself into believing that it would work for us. Obviously it hasn't.

The entirety of this book is about taking real control of your human-layer defenses. This will require you to expand your thinking about what security awareness training should look like.

We'll begin that journey in Chapter 3, “The Foundations of Transformation”!

Let's think about this for a minute. Less than 3 percent of security spending is focused on the human layer, but more than 85 percent of breaches are traced back to humans. That stark contrast between the problem area and where organizations are focusing is shocking.

Less than 3 percent of security spending is focused on the human layer, but more than 85 percent of breaches are traced back to humans.

For decades, security leaders have known that humans are the most enticing and vulnerable attack surface; nonetheless, we, as an industry, have tried everything but doing the actual work needed to improve our situation.

And here we are.