{"id":15870,"date":"2026-02-26T10:08:25","date_gmt":"2026-02-26T10:08:25","guid":{"rendered":"https:\/\/newestek.com\/?p=15870"},"modified":"2026-02-26T10:08:25","modified_gmt":"2026-02-26T10:08:25","slug":"the-farmers-and-the-mercenaries-rethinking-the-human-layer-in-security","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15870","title":{"rendered":"The farmers and the mercenaries: Rethinking the \u2018human layer\u2019 in security"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

There\u2019s a phrase that\u2019s become gospel in cybersecurity: \u201cEmployees are the last line of defense.\u201d<\/p>\n

We\u2019ve built an entire industry around it. Billions of dollars in security awareness programs, mandatory simulations and user-reporting workflows across endpoints, applications and collaboration tools. All predicated on a premise that sounds reasonable until you examine what we\u2019re actually asking.<\/p>\n

Here\u2019s what we\u2019re asking: for the marketing coordinator, the accounts payable clerk and the sales rep to catch what sophisticated security tools and trained professionals missed.<\/p>\n

That\u2019s not a security strategy. That\u2019s asking farmers to repel mercenaries.<\/p>\n

<\/a>The hierarchy we don\u2019t talk about<\/h2>\n

Think of the actual defensive capabilities in a typical organization.<\/p>\n

Your security team has years of specialized training, access to SIEM platforms, threat intelligence feeds and forensics tools. Their full-time job is defense.<\/p>\n

Your CISO has decades of experience, strategic visibility across the organization and the authority to make architectural decisions. Defense is their entire professional identity.<\/p>\n

Your employees have a short annual training module, a reporting workflow and whatever attention they can spare from the job they were actually hired to do.<\/p>\n

We\u2019ve built a multi-billion dollar industry around the idea that the third group will succeed where the first two are failing.<\/p>\n

<\/a>The evidence is already in<\/h2>\n

This isn\u2019t a theoretical complaint \u2014 it shows up in research on how real SOCs work. A study by the University of Oxford based on surveys and interviews with SOC practitioners found they \u201cconfirmed the high\u201d false-positive rates of tools in use, and that many \u201cfalse positives\u201d are actually benign triggers that still require human validation.<\/a><\/p>\n

That\u2019s not employee failure. That\u2019s employees doing exactly what we trained them to do \u2014 and the training is producing volume rather than clarity.<\/p>\n

User reporting systems have become noise amplifiers. Employees are encouraged to flag anything that feels out of pattern: unusual access prompts, unexpected system messages, automated workflows, new integrations, time-sensitive requests. These signals once indicated risk. Today, they often reflect how modern, automated businesses actually operate. The cues we taught employees to distrust increasingly describe normal work.<\/p>\n

Meanwhile, SOC teams are drowning. It\u2019s not just the queues \u2014 it\u2019s the human cost. ISACA\u2019s 2024 research found 66% of cybersecurity professionals say the job is more stressful now than it was five years ago<\/a>, citing a more complex threat landscape alongside resourcing constraints.<\/p>\n

And our answer is: the accountants will save us.<\/p>\n

<\/a>The real human layer<\/h2>\n

Here\u2019s the contrarian take the industry needs to hear: the \u2018human layer\u2019 that matters isn\u2019t your employees. It\u2019s your security team.<\/p>\n

When we talk about the human element in security, we should be talking about the CISOs running on four hours of sleep during an incident. The analysts pattern-matching across thousands of signals. The threat hunters who notice something slightly off in authentication logs. The architects who see the structural weakness before it becomes a breach.<\/p>\n

These are elite defenders. Trained professionals. The actual human intelligence in your security posture.<\/p>\n

If they can\u2019t keep up \u2014 if their capacity is consumed by false positive triage, user-submitted reports, operational escalations and the constant pressure to clear queues \u2014 then no amount of awareness training for end users is going to close that gap.<\/p>\n

You don\u2019t compensate for overwhelmed special forces by handing rifles to farmers.<\/p>\n

<\/a>The uncomfortable math<\/h2>\n

Let me walk through what\u2019s actually happening in most organizations:<\/p>\n

The security team receives hundreds of alerts daily. Many originate from automated controls, user reporting workflows and precautionary detections designed to err on the side of caution. A significant percentage require investigation \u2014 you can\u2019t know something is harmless until you look. Each investigation takes 15\u201320 minutes. The math quickly consumes 100% of available analyst capacity.<\/p>\n

When false positive volume hits capacity, strategic threat hunting drops to zero. There\u2019s no time for pattern recognition across multiple signals, correlation with threat intelligence or the slow careful analysis that catches sophisticated attacks.<\/p>\n

The sophisticated attacks don\u2019t announce themselves. They wait in queue, looking like everything else. Detection becomes random \u2014 a function of luck, not design.<\/p>\n

This is the crisis facing the actual human layer of defense. And we\u2019re addressing it by asking frontline employees to identify subtle anomalies in systems and workflows that already passed through layers of automated controls.<\/p>\n

<\/a>What this means<\/h2>\n

I\u2019m not arguing that baseline security hygiene is worthless. Employees should follow sensible practices and avoid obviously risky behavior. Basic discipline matters.<\/p>\n

But we\u2019ve elevated awareness training from \u2018basic hygiene\u2019 to \u2018strategic defense,\u2019 and that elevation is dangerous. It creates a false sense of coverage. It allows organizations to underinvest in actual defensive capability because they\u2019ve \u2018addressed the human element.\u2019<\/p>\n

The human element that needs addressing is your security team\u2019s capacity. Their tools, their processes, their ability to do strategic work instead of drowning in noise.<\/p>\n

Even regulators and standards bodies implicitly acknowledge the same bottleneck: monitoring has to be implemented in a way that minimizes false positives and false negatives \u2014 because human review capacity is finite.<\/a><\/p>\n

<\/a>The question worth asking<\/h2>\n

Every CISO should be asking: What percentage of my security team\u2019s capacity is consumed by work that doesn\u2019t actually reduce risk?<\/p>\n

If the answer is \u2018most of it\u2019 \u2014 if your analysts spend their days clearing precautionary alerts, reviewing benign activity and responding to internal escalations driven by uncertainty rather than threat \u2014 then you have a human layer problem.<\/p>\n

But the solution isn\u2019t more training for end users. It\u2019s restoring capacity to the people actually trained to defend you.<\/p>\n

The farmers have fields to tend. Let them farm.<\/p>\n

The question is whether your mercenaries have room to fight.<\/p>\n<\/p>\n

This article is published as part of the Foundry Expert Contributor Network.<\/strong>
Want to join?<\/a><\/strong><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

There\u2019s a phrase that\u2019s become gospel in cybersecurity: \u201cEmployees are the last line of defense.\u201d We\u2019ve built an entire industry around it. Billions of dollars in security awareness programs, mandatory simulations and user-reporting workflows across endpoints, applications and collaboration tools. All predicated on a premise that sounds reasonable until you examine what we\u2019re actually asking. Here\u2019s what we\u2019re asking: for the marketing coordinator, the accounts… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15870","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15870","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15870"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15870\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15870"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15870"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15870"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}