Cybersecurity’s Golden Mean
For nearly 2,500 years, philosophers have wrestled with the age-old question of how to balance the three pillars of cybersecurity: technology, processes, and people.
Well, not quite. As an explicit concept applied to cybersecurity, this framework has been advanced for a mere few decades. Nonetheless, the core understanding behind it traces back to Ancient Greece, with Aristotle and his proposal of the Golden Mean.
Aristotle believed that virtue lay between the extremes, deficit or excess, of two vices. For example, the virtue of courage lies in the middle of a continuum between cowardice on one end and recklessness on the other. The Golden Mean is not the result of a mathematical equation, nor does it necessarily fall exactly in the middle of the continuum; instead, it varies based on situational circumstances. This balanced approach is sometimes summarized as “moderation in all things.” In the cyber realm, moderation in the pursuit of security is not always seen as a virtue; yet today’s security environments can still become dangerously out of balance when certain pillars are neglected in favor of others.
In recent years, technology has been the dominant focus of cybersecurity professionals, largely in response to the very real shortage of cybersecurity professionals. Billions of venture capital dollars have been invested in technology across all security categories, resulting in roughly four or more “leaders” in any given technology space. With the advent of generative AI and rise of automated processes, we often forget Aristotle’s observations about what he called “techne,” which we might think of as craftsmanship. Tools and instruments are extensions of human abilities, with the potential to help us achieve our goals – but these goals must themselves be informed by human ethics and reason; when security protocols become completely mechanized, both security and efficiency may suffer.
Processes – the establishment of robust and well-defined procedures, policies, and guidelines – are gaining greater purchase as training and security best practices extend beyond IT personnel to everyone within the enterprise. Instilling the right procedures and creating a culture of compliance is an ongoing process. As Aristotle noted, “Excellence is not an act, but a habit.” Technology that makes compliance easier, and less disruptive to business functions, can aid this process greatly, but it should never devolve into mindless, inflexible checklists. Ultimately, people must practice the habits that lead to excellence, while retaining the autonomy to assess the particular needs of a given situation.
Human-centric security design centers on the user, applying behavioral science and user experience (UX) to minimize cybersecurity-induced friction. For all the investment in technology and well-designed processes, human nature is immutable, and therefore a potential threat. Aristotle took note of human passions, appetites, and desires, which, when combined with our social natures, can lead to great harm. Yet the human capacity for reason can temper these desires as we seek to fulfill our highest potential through a harmonious balance of reason and emotion. Cyber training can go beyond focusing on defined rules to cultivate an understanding of the causes and consequences of security breaches. As a result, people across an organization become stakeholders in a culture of security that complements business requirements, without subsuming them.
Even the soundest cybersecurity practices, procedures, and personnel cannot completely cover for human error, malicious or otherwise. However, they can likely decrease the probability and costs of these errors. Companies that help enterprises successfully restore the balance by focusing on the human element are positioned to be valuable assets in a sea of commoditized technology. As Chief Information Security Officer Aristotle might contend, security and risk management leaders can apply practical wisdom to avoid extremes in the balance of technology, process, and people-centric investments, and thus realize the virtue of security in the discovery of the Golden Mean.
Meet the Author
Managing Director, Clearsight Advisors
Washington, DC
jmccabe@clearsightadvisors.com
Share
