So I have thoughts. I always appreciate any article that provides tangible steps one can take.

But I also feel this is very "stupid user" centric and misses the boat on what makes security a culture. An effective culture is built through the unification of people, processes, 1/ https://twitter.com/securitybrew/status/1336407980682653698

technology, and governance. The steps here talk a lot about people, a little about governance (hold them accountable) but misses some key items.

Do you have the policies and processes in place to enable your users to be part of the solution? Are those processes frictionless? 2/

If it takes a user two days to get a response on a email or executable they flagged as suspicious, they'll simply not bother.

Do your tools support the processes? Can a user click one button to submit a ticket about a suspicious phone call or email? Or do you have some 3/

convoluted process in place that is too onerous and as a result users just bypass?

How do you embed security in their daily activities? Do security-focused resources attend sprint planning, daily stand-ups, status meetings, etc. in your business lines? 4/

Finally, what metrics are you tracking success with? Are they tailored to your org? Are you focused on attaining arbitrary goals or do you celebrate and track continuous improvement? Are your KPIs security-based or are they actually meaningful to the business. 5/

Security needs to pick up the ball and have better program and organizational intelligence.

There's still far too much weight being put on users and not enough paving the road to make it easier for them to be secure. #DoBetterBeBetter /FIN