For years, information security has been saying that the user is the weakest link. I don’t know if they are the weakest link or not, but the connotations of saying that are completely wrong and are damaging the security posture of many organizations.

By saying that users are the weakest link we have been insinuating that the security controls we implement are good, but that if users click on a malicious link, there is nothing we can do.

I disagree with this idea. Information security should put the necessary security controls in place (directly or by pursuing them) to prevent breaches. It is not ok that only because a user clicks on a malicious link, a company gets infected and breached. If that happens, it is because security controls are missing or inefficient. It is not the user’s fault.

There are many things that we, as security professionals, can do before the user and after the user clicks a malicious link. It is our responsibility to try to block the malicious email at the perimeter, for example, at the email security gateway. If we are unable to identify and block a malicious email, why do we blame the user for not identifying it?

This doesn’t mean that we don’t have to do training and raise awareness. Not all security measures should be technical controls. The more aware our users are, the better. But we have to assume that someone is going to click a malicious link, visit a web with malicious payload embedded, or reuse a password.

Security is everyone’s responsibility in the sense that everyone has to participate and comply with the established security policies, however, as security teams, we are responsible for defining and pursuing the implementation of security controls that protect our organization. We cannot rely on a user not clicking a link or not reusing a password. Before blaming the end-users we should blame ourselves for not being able to create or implement the efficient and reliable technical security controls.