The phrase “humans are the weakest link” in the cybersecurity industry is akin to the phrase “carpe diem” in the tattoo world—overused, yet still a classic.
It’s no surprise that the industry phrase is thrown around frequently given the growing reports of poor password hygiene among employees (and even IT and cybersecurity leaders), the rise of insider threats, and social engineering tactics that continue to grow in sophistication. Verizon’s 2025 Data Breach Investigations report found that 60% of breaches had a human element.
“It should come as no surprise for even the most casual reader of cybersecurity reports that breaches involving humans were responsible for the majority of the cases we reviewed,” the report wrote.
Wake up and smell the coffee. Cequence Security CISO Randolph Barr told IT Brew that he heard the industry tagline throughout his career and even used it as part of his security awareness campaigns for employees in the early 2000s.
“I would use examples like, ‘Treat your [security] posture like your toothbrush. Use it every day and change it often,’” Barr said.
However, Barr and others have begun to push back on the popular quip. Kusari co-founder and CTO Michael Lieberman said the issue is not that humans are the weakest link, but rather that humans are at the bottom of the chain and on the frontlines of various interactions.
“All the tools and technologies we’re building are built by humans. All the processes we’re following are built by humans,” Lieberman said. “When somebody makes a mistake, it’s a human making the mistake.”
Lieberman added that the “pejorative” phrase shifts the focus on who to blame for security incidents rather than on the tools and tech that can be used to protect against such threats.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“When people say that, I think they just immediately assume you have some poor, ignorant person who’s looking at their email and goes, ‘Oh, somebody promised me a million dollars,’ and they click the link, and then they inadvertently expose their company to a thing,” he said.
Time for a revamp? IT Brew asked several cybersecurity professionals whether or not they believe it is time to phase out the industry cliché. At a time when people are more cognizant of threats, and there’s a greater landscape of risk-mitigating tools and controls at a company’s disposal, Barrs said it just might be.
“It’s time for us to not have to use that as…the sole reason why these breaches happen,” he said.
Stephanie Hagopian, VP of security solutions at CDW, is not a fan of the industry phrase. She told IT Brew that humans shouldn’t be painted as weak when malicious actors use social engineering to deceive employees just trying to do their job.
“You’re going to check and read your email. You need to respond to that email and it’s been constructed so creatively and purposely that you can fall [for it] very easily,” Hagopian said.
“We can be the strongest link if we’re just enabling people appropriately and educating them on what they need to look out for and what they need to do,” she added.
James Cassata, a senior cloud security architect at Myriad360, said that while he believes there is some truth to the saying, he is in favor of a modification of sorts.
“I like an adaptation to it that says, ‘Humans are your greatest asset,’ because I think it puts a more positive spin on things,” Cassata said.