Writing Back to Writing

Security problems are usually process problems

16 January 2026

Security Process IT Management

Most security incidents I have seen did not happen because the technology was weak.

They happened because the process assumed people would behave differently than they actually do.

Over the years, I have worked with organisations that had hardened systems, locked down devices, enforced multi-factor authentication everywhere, and followed every checklist they were given. On paper, everything looked solid.

Incidents still happened.

Not because someone forgot to patch a server, but because a process broke down under real world pressure. Someone needed to get work done quickly. Something was unclear. A workaround felt easier than the approved path.

That is where security usually fails.

Hardening is not enough

You can harden systems as much as you like. If the way people are expected to work does not match how work actually happens, security will eventually be bypassed. Not out of malice, but out of necessity.

This is why phrases like “users are the weakest link” miss the point.

People are not the problem. Assumptions are.

Designed for ideal behaviour

Most security processes are designed for ideal behaviour. Clear instructions. Plenty of time. No interruptions. No competing priorities. The real world does not work like that.

When security introduces too much friction, people adapt. Passwords get reused. Files get shared in unofficial ways. Shadow IT appears. None of this happens because people do not care about security. It happens because systems were designed without considering human behaviour.

Good security accepts reality

Good security design accepts this reality.

It does not rely on perfect compliance. It assumes mistakes will happen and builds around them. It reduces unnecessary friction instead of adding punishment. It makes the secure path the easiest path, not the most restrictive one.

The strongest security environments I have seen are not the most locked down. They are the most thoughtful. Clear processes. Simple decisions. Guardrails that help rather than hinder.

Closing the gap

Security that works is rarely about adding another control. It is about removing the gap between how a system was designed to be used and how it is actually used.

The goal of security is not to eliminate mistakes.

It is to design systems that remain safe when mistakes inevitably happen.