Maybe your users aren't the weakest link in security.
Maybe you're the weakest link in enabling your users to do their mission securely.
Anyway a bunch of us exploded about Danny Palmer’s article yesterday and it’s not really his fault, even if we had minor gripes with the content. His article got unfortunately renamed by someone else. https://twitter.com/steved3/status/1380208000112148484
I can explain why some of us exploded, though. There’s this really kinda toxic infosec culture that boomed a few years back and still exists at all levels today of, “the user is the weakest link”
Although a lot of us have gotten better at understanding business and having empathy for users facing increasingly devious attacks, marketing from less savory awareness and phishing test companies have kept this culture alive.
You know how everyone in business is always selling something? Well, they market their services as relevant and a panacea for the huge number of attacks using social engineering.

Now before I’m beaten by Awareness pals for a Very Hot Take...,
Educating and informing users about scams and cybersecurity *is* an important part of security programs. However, it has limitations like any other element because:

***Users are doing a job that is not cybersecurity, and cybersecurity is probably not the company mission.***
In fact, you serve the users and the mission. Your job is to enable the users to do their job securely, the least disruptive way possible. That means that expecting 0 clicks is tone deaf and laughable. It means security just has to work, and risk needs to be modeled well.
It shouldn’t be possible for a user who clicks or uses a weak password to eff over your entire department. It just shouldn’t be possible. That doesn’t necessarily mean shiny whiz bang tools. It can mean simple functional or topological segmentation. It could mean monitoring.
And again, awareness training is still great because it helps users be our eyes and ears and notify us when someone is targeting us in a new way. It also helps them buy into our efforts. But they should not be implicitly assigned a new job duty of practical network defense.
Anyway “the user is the weakest link” assumes you’ve made the user help you hold your fence up. Hope you’re paying them extra for that.
I have no idea how to put this monster back in the box.
You can follow @hacks4pancakes.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more