Good post here from Brandon Williams on the inherent weakness of security processes that ignores the human element.
There's nothing new in saying that humans are the weakest link in the security chain (ok, in *most* people's security chain) but Brandon's right: People really are the new perimeter. In more ways than one.
The point he makes (and it's a fair one) is that for all the investments you make in technical and physical security, it really won’t matter if you don't invest in educating your employees to not do anything stupid.
Employees have always needed to understand the why’s of good information security practices, but as the perimeter becomes porous (or becomes many perimeters) the need for this knowledge has grown significantly. Attackers target employees to do the dirty work andhelp them break into systems that are well defended. The prime example is the successful attack on RSA earlier this year.
Attackers go after the employees because employees already have the access to what they want, and if they can subvert a helpful or unsuspecting employee, they can bypass many, if not most, of those expensive security products you hoped would keep the hackers out and the data in.
A well-educated employee, one who understands how to spot when they are being targeted (and gets why breaches are bad,) can quickly stop an attack, or at least alert you when something suspicious is going on.
So while employees are your best defense against attack, they are also your weakest link. And it's getting worse. Much worse.
As information moves outside of the traditional four walls, or whatever is left of the perimeter, and onto smartphones, removable media, and into many, many cloud infrastructures, the ability of your current security controls to follow that data, to keep it safe, diminishes as the data moves faster, in more places, and in greater quantities than we could have imagined, even five years ago. With much of that data mobility driven by individuals using their own devices and consumer cloud services such as Dropbox or Box.net, keeping data safe is getting harder, fast.
As the one entrusted with securing your organization, you're going to need help. And that help can only come from the people who understand that they are the custodians of the data you are tasked to keep safe – your employees and the users themselves.
If there is one control that you have at least a reasonable chance of extending out there into the misty reaches of the cloud, it's a well-educated and informed employee.