What are the biggest roadblocks to better cybersecurity? If you look at the major cybersecurity conferences, the usual presentation topics are risk assessment, encryption, zero-day exploits, and insider threats. But there’s no shortage of technical and human challenges to cybersecurity; often these factors are competing against each other for time and resources, making the problem even more complex.

SEE: Essential reading for IT leaders: 10 books on cybersecurity (free PDF) (TechRepublic)

Listen to expert Michael Daniel’s view on the subject, though, and the list looks very different. In an article for Harvard Business Review, Daniel poses a simple question about a complex problem: “Why Is Cybersecurity So Hard?”

His answer might surprise people used to the standard approach. Daniel argues that the industry has essentially been overly focused on technological barriers to keeping out the bad guys in cyberspace:

“[E]ven if we resolved the technical issues, cybersecurity would remain a hard problem for three reasons: 1) It’s not just a technical problem; 2) The rules of cyberspace are different from the physical world’s, and; 3) Cybersecurity law, policy, and practice are not yet fully developed.”

He’s been in a position to know. Daniel spent a career in federal government, largely at the US Office of Management and Budget. Until last year he served as President Obama’s cybersecurity coordinator. But his succinct article hits on ideas that are gaining traction. Two eagerly anticipated commission reports stressed the need for a broader, more people-focused approach to the issue:

So what does that mean for security and IT professionals if cybersecurity seems out of their control? The answer is a bit complicated, but all is not lost.

What can security and IT pros do?

Stop treating users as the enemy! Since University College London Professors Angela Sasse and Anne Adams made that urgent request nearly 20 years ago, a growing number of security pros (including myself) have been arguing that since everyone in an organization relies on information security, everybody must be involved in maintaining it.

  • Train users in person rather than presenting them with online tutorials. Programs like SANS Securing the Human or in the UK, Security, Awareness, Behavior, Culture (SABC) are in-person trainings that help IT managers and end users understand each other better, and that focus on building a security culture within organizations. Online tutorials are often ineffective and turn employees off.
  • Create positive incentives for employees to contribute to security. Many organizations that are frequent targets of hackers have started bug bounties, essentially paying outsiders to find security flaws, but sharp-eyed employees can help spot phishing attacks or others signs of intrusion. A positive security culture should welcome the extra help, for example by rewarding employees who point out suspicious emails or departments with strong security records.

Don’t lose sight of your goal

The goal isn’t perfection–it’s reducing your risks from evolving threats. A great way to do that is enlisting a bigger team to make your most important assets and information tougher targets for the bad guys.