Computers and mobile devices store, process and transfer highly valuable information. As a result, your organization most likely invests a great deal of resources to protect them. Protect the end point and you protect the information. Humans also store, process and transfer information, employees are in many ways another operating system, the HumanOS. Yet if you compare how much organizations invest in securing people compared to computers and mobile devices, you would be stunned at the difference. Lets take a look. Organizations typically invest the following in protecting an end device, including
Host-Based Prevention System
Go down that list and add up the cost for each computer. Then add support contracts, help desk phone calls, and how many FTE (Full-Time Employees) it takes to maintain all of this technology. You probably end up spending $100 a device, $200 a device? Now, go through the exact same process and determine how much you are investing in securing your employees, how much per person? Hear those crickets chirping? Your organization is most likely spending 10x to 20x the time and resources securing technology as it does securing the HumanOS. And organizations still wonder why the human is the weakest link.
Technology is important, we must continue to protect it. However at some point you hit diminishing returns. We have to begin investing in securing the HumanOS also, or bad guys will continue to bypass all of our controls and simply target the human end-point.
Update #1: If determining the dollar amount for each computer becomes too complex, try a simpler metric. Count how many people you have on your information security team. Now, out of all those people how many focus on securing technology, and how many on securing the HumanOS? You probably will end up with a very similar metric, something like 10-1 or 20-1.