Hopefully, May's brain trust will tell him that the purpose of a good security program is to implement a strong security culture. That is accomplished by implementing awareness programs that use scientific principles to get people to behave securely by default and by implementing technical and other countermeasures that proactively prevent users from taking actions that are known to cause damage, or to at least contain that damage.
And if Thornton May were ever to consider me part of his brain trust, I would ask him, "Is that user behavior stupid, or is it just something that should be expected and that infosec professionals should therefore prevent or mitigate?"
Ira Winkler is president of Internet Security Advisors Group and author of the book Spies Among Us. He can be contacted through his Web site, irawinkler.com.
Read more about security in Computerworld's Security Topic Center.