Technology is inherently complex—but in cybersecurity, complexity can be a liability. As threats from cybercriminals and nation-states grow, organizations often turn to sophisticated tools. Yet, simplicity and clarity in design are more effective for building resilient systems.
Edsger W. Dijkstra once said, “Simplicity is a great virtue but it requires hard work to achieve it and education to appreciate it. And to make matters worse, complexity sells better.” This rings especially true in cybersecurity, where quick-fix solutions often overshadow disciplined, strategic approaches.
If we back away from looking at individual cybersecurity incidents, we notice some global characteristics. One is that there are three components of any cybersecurity equation: people, process, and technology.
All three must work together well to avoid cybersecurity failures. More important, all three need to be considered in designing an effective cybersecurity system. Despite this, all too often we focus exclusively on technology. What tool can we implement that will insulate us from this risk? How much does it cost, and can we afford it? This is a shortsighted and costly approach, and it does not work. Let’s look a bit more at each of these three areas. Perhaps doing so will bring some helpful perspective.
To reduce operational risk, organizations must consider the three pillars of cybersecurity: people, process, and technology. While technology gets the spotlight, human error is often the root cause of breaches. According to IBM, 60% of attacks are insider-driven—three-quarters of which are intentional.
A successful cybersecurity strategy prioritizes people and process before technology. Training, awareness, and clear protocols are essential. Only then should tools be layered in to support—not replace—these foundations.