Stop saying humans are the weakest link in security. That was the main message delivered by former White House CIO Theresa Payton during her keynote at (ISC)²’s Congress 2018, taking place this week in New Orleans.

“The technology is the weakest link. The human is at risk. We have to change how we think about this in our industry,” said Payton, who is now president and CEO of Fortalice Solutions, and stars in the CBS show “Hunted.”

Even though cybersecurity teams implement various measures, follow rules and frameworks, and complete compliance checklists, breaches still occur, she said. That’s because technology is designed to be open for interoperability and usability. Rather than blame users, a better approach to security is needed.

“Let’s assume users are making mistakes as they are doing their job. Let’s assume technology will fail them. When you do, you’ll think differently about securing their data.” Payton advised taking a “warm embrace” approach to make users feel comfortable with technology, rather than fear it.

She shared an anecdote from her White House days, during the George W. Bush administration, about users waiting too long to report missing Blackberry mobile devices. It turned out they had been given strict, scary instructions when receiving the devices, which made them hesitate to report losses. So, instead, Payton’s team started handing out the devices in a bag with presidential M&Ms and other swag, and a phone number to call if the device ever went missing. Problem solved.

Louder and Faster Doesn’t Work

“When bad things happen,” Payton said, the reaction is to train users and explain things. But a common mistake is to talk louder and faster, which doesn’t work, she said. It makes more sense to design policies around people. “Walk around and ask your users and your customers how technology supports them doing their job, and just listen. Listen to those cues around security.”

Other measures that improve security, she said, include segmentation, multifactor authentication and new technologies such as artificial intelligence and blockchain. Regarding segmentation, Payton used a White House-related example. During her two and half years as CIO, the practice was to separate the president’s schedule from everything else so it wouldn’t fall into the wrong hands. The point: Safeguard your most valued data by isolating and creating extra barriers around it.

Going forward, she said, machine learning and blockchain will play important roles. She compared blockchain to a squirrel hiding nuts in different places for winter. With blockchain, pieces of data are spread out and hidden, then monitored every 10 minutes to make sure they are sill there.

Reasons to Worry

Payton said some possible scenarios keep her up at night. For instance, she worries about a man-made disaster planned to coincide with a major cyber attack. She also frets about the spread of misinformation on social media and its potential impact on elections and business operations.

On the positive side, she said, “we are doing a better job of educating the user.” But more work is needed, and that includes resisting the temptation to treat the user as the problem and, instead, develop policies and practices to produce better security outcomes.