I have spent more than 15 years in cybersecurity, and for a good portion of that time I believed what most of us believe: that our job was to make security everyone's number one priority. Posters said it. Inductions said it. Executive town halls said it. Security first.
It was never true. Not for a single person in any organisation. I do not open my laptop in the morning to do security; I open it to write a strategy paper, prepare for a meeting, or reply to someone who needed an answer yesterday. Security travels alongside those things. It is never the destination.
Security is what the literature calls a secondary task: something you must do on the way to your real goal. A salesperson opens their laptop to close a deal. A nurse logs in to treat a patient. A finance analyst signs in to reconcile month-end. Nobody, anywhere, logs in to do security. And yet we build entire programmes on the assumption that they should.
People have a budget, and we are not the only ones spending it
In 2008, Beautement, Sasse and Wonham gave us one of the most useful ideas in the field: the compliance budget. People hold a finite reserve of time, attention and effort for anything that is not their actual job. Every rule, every prompt, every mandatory module draws that budget down. When it runs out, corners get cut, and no amount of motivation refills it.
Here is the part we conveniently forget. Security does not have that budget to itself.
The same finite reserve is being spent by privacy training, health and safety refreshers, anti-bribery attestations, data protection assessments, HR policy acknowledgements, quality audits and whatever else landed in the inbox this quarter. Each function believes its topic is the priority. Each function is competing for the same exhausted attention. From where the person sits, it is one undifferentiated stream of demands from people who have never watched them do their job.
So when someone clicks through our annual training at speed, they are not being careless. Herley showed back in 2009 that ignoring security advice is often entirely rational: when you add up the daily cost of following every rule against the harm those rules actually prevent, the ledger frequently favours the person who cut corners. People are economists of their own time. They are budgeting, sensibly, against a payoff they never see. Do security well, and nothing happens. The breach that never occurred provides no feedback, no reward, no proof the effort was worth anything.
The person whose priority we are ignoring
Behind the compliance budget sits something more human. People have their own priorities, and they are good ones. Hitting the sales target that pays the mortgage. Getting the promotion. Finishing on time to collect the kids. Being seen as someone who delivers.
These are not obstacles to security. They are the reason people come to work. When we position security as the thing that must come first, we ask people to demote the goals that give their working lives meaning, and then we are surprised when they quietly decline. Worse, when following our controls slows the work down, we have engineered a direct conflict between doing the job well and doing security well. Kirlappos and colleagues documented what happens next: shadow security. Shared logins, files emailed home, workarounds invented so the job can continue. Those workarounds are not disobedience. They are the most honest data we have about where our security does not fit the work.
And here is a distinction that matters more than it sounds. These are not "employees" or "end users" or, heaven help us, "the weakest link". They are people. The same as us. We in security are running the identical calculation every day: which demands deserve our limited energy, and which can safely wait. The moment we start talking about "them", we have positioned ourselves outside the tribe we are supposed to be protecting, and Adams and Sasse warned us in 1999 exactly where that leads. Users are not the enemy. Treating them as one makes everything worse.
What working with people actually looks like
If security cannot be the priority, what is the alternative? Not surrender. Something better: making secure behaviour compatible with people's existing priorities.
That starts with respecting the budget. Every request we make should survive a simple test: is this worth a withdrawal from a finite account that privacy, safety and six other functions are also drawing on? If the honest answer is no, cut it. Fewer, better asks beat a constant drizzle of awareness emails, mandated modules and compliance assessments that measure attendance rather than behaviour. Stanton's work on security fatigue shows what the drizzle produces: not vigilance, but weariness, and worse decisions with it.
It continues with design. If the secure path is slower than the insecure one, the insecure one wins, and it should. Our job is to remove the tax, not to lecture people for avoiding it. Where the secure action is the quick action, no persuasion is needed at all.
And it depends on going where the work is. Not broadcasting at people from the centre, but sitting with the sales team, the ward, the finance function, and understanding what their real Tuesday looks like. This is why Security Champions matter so much to me, and why they sit at the heart of what we have built at CyBehave. A champion is not a messenger for the security team. They are a trusted insider of their own tribe, someone who understands the deal being closed and the deadline being chased, and who can shift what feels normal from within. They translate in both directions: security into the language of the work, and the reality of the work back into security.
The reframe
Zimmermann and Renaud called the shift human-as-problem to human-as-solution, and it captures the whole argument. For thirty years we bought engineering for our machines and posters for our people, then blamed the people when the posters did not work.
The better position is this. Security is not the priority, and it should stop trying to be. It is the quiet enabler of everyone else's priorities: the thing that lets the deal close, the patient get treated and the career progress without a breach tearing through any of it. That is not a demotion. It is the most useful job in the building, and we can only do it by working with people, respecting the budget they are spending on our behalf, and remembering that they are exactly the same as us.
Security first was always the wrong slogan. People first gets you better security.
The research referenced here, from the compliance budget to shadow security, is set out with full sources on our science page at cybehave.com/science.