When You Want to Make (Security) Things Better… But Accidentally Make Them Worse

News and information from the Advent IM team.

You know that feeling when you’re trying to fix something, but end up making it ten times worse? Like when you go to ‘tidy’ the garage and suddenly it looks like a skip exploded. Well, we’ve managed to do something very similar in security — and it’s biting us back.

Somewhere along the way, we decided that security conversations needed to be ‘professional’. So we dusted off the jargon dictionary and started throwing around words like “zero trust architecture”, “multi-factor authentication pipelines”, and “advanced persistent threats”. It sounded impressive… to us.

But to the people who really keep organisations going — the reception teams, operations managers, finance officers, customer service staff — we may as well have been speaking Klingon.

And this is where the trouble starts.

Because when the language feels alien, people mentally step back. They assume it’s someone else’s problem to fix.

“Oh, that’s an IT thing.”

“I’m not important enough for hackers to bother with me.”

“I wouldn’t even know what a cyber attack looks like.”

Sound familiar?

And that’s when the gaps start to widen. Simple phishing emails slip through the cracks. Poor password habits creep in. The warning signs of fraud or data mishandling get ignored. Not because people don’t care — but because they’ve been made to feel like they’re not part of the solution. Worse, that they are the problem, have no place in the solution or are perhaps too stupid to do any better. (Yes, we do still hear the ‘stupid users’ excuse)

We haven’t made security clearer. We’ve made it a closed club. We have put technical language in the hands of people who don’t need it and understandably the risks therefore have not been reduced. <insert your complaint about sweeping generalities here, I don’t care, I meant it>

If you want proof, just look at recent news — Microsoft SharePoint being exploited globally because patches weren’t applied. Not because it was complex, but because basic security hygiene got missed. It’s the digital equivalent of leaving your front door wide open and being shocked when someone strolls in.

So what do we do?

We start making it simple again.

We stop talking about ‘complex threat landscapes’ to people for whom that has no meaning and start talking about ‘dodgy links in emails’.

We link security back to everyday decisions people actually make — clicking links, opening files, trusting calls, sharing information.

If we feel we need to use technical language with non-technical people at least give them some education and a glossary, as well as access to experts who know their technical stuff but more importantly, are invested in helping and making it easy for non-technical people to grasp and therefore use.

Most importantly, we make it human. Because behind every breach is a human decision. And in every strong security culture, you’ll find people who get it, not because they’ve done hours of security training, but because someone took the time to explain how it actually affects them.

Security isn’t a tech thing (unless you are technical and even then not exclusively, you need many more skills) – It’s a people thing. And we’ll only get it right when we start talking to people like… people.

 

Share this Post

© 2025 Advent IM Limited.