“There is no finite point where it’s going to be, ‘Well, okay, we’ve now spent enough. We’re secure.’ ”

Twitter: @jaysonstreet • Website: jaysonestreet.com

Jayson E. Street is a co-author of the Dissecting the Hack series. He is also the DEF CON Groups Global Ambassador and the VP of InfoSec for SphereNY. Jayson has spoken on a variety of information security subjects, including events at DEF CON, DerbyCon, GrrCon, and several other cons and colleges.

If there is one myth that you could debunk in cybersecurity, what would it be?

That humans are a liability. We always want to blame humans: “stupid user clicked on a link,” “stupid user had a bad password,” “stupid user went to a website,” when it was actually “stupid information security who didn’t properly train their users.” Employees will do everything necessary to stay employed in their jobs and do what they’re told. We don’t teach them that part of their responsibility is to be security-minded. So, therefore, they don’t have to be. It’s not up to them to intuitively know about that. It’s up to us to teach them that that’s expected, and then they’ll do that because that’s part of their job. We don’t need to keep getting technology to protect our users. We need to start getting our users better able to protect the technology.

What is one of the biggest bang-for-the-buck actions that an organization can ...