Offensive security is about the cool exploits. Defensive security is about boring operational discipline.

Offensive security measures binary success. Did you pwn it? Did you capture the flag? Or, if you’re a criminal or a nation-state, did you achieve your objective? Either you did or you didn’t.

Defensive security measures success as a spectrum of unknown risk. Are we hacked? I dunno. You can prove something is insecure by breaking it. You can never prove anything is secure. Only the reverse.

Bringing offensive security thinking to defensive work is effective for one person or small teams. Know your protocol. Follow it. Small, trained teams of professionals can achieve high standards of operational security. Focus on the tech.

Anything more than a dozen people, though, that breaks. Instead, you have to focus on the people.

Because now we’re talking defensive security not of one person but of the group. Including the weakest link. Including whoever is laziest, most distracted, having a bad day, or doesn’t care very much.

Increase by an order or two of magnitude to hundreds, thousands, or tens of thousands of people in an organization, and the lowest common denominator (as far as security goes) drops very low indeed. At that scale no one is practicing operational security. No one is even thinking about security. Even for a company of a few hundred people, security is the last thing on everyone’s minds.

So how do you secure people at scale? How do you get people to act in a secure way, do business in a secure way, when predators are watching and ready to pounce on anyone’s mistake?

Well, a naive approach would be training. Or coaching. “Come on, guys, let’s do better.” Yeah, that doesn’t work. I’ve tried. Also, when’s the last time you watched a mandatory security training video and didn’t roll your eyes? Academic research has even proven that training — that is, voluntary security practices — does not lead to better security outcomes.

So what are you left with?

Leadership and management.

Carrot and stick.

Design secure systems where there is only one way to do things, that way is the secure thing, and if you don’t do it that way you can’t do your job.

Leadership to manage upward and to explain, explain, explain ad nauseam why security matters. The carrot.

Management to know that at scale only guardrails work. You’re using your Yubikeys or you’re not logging into your email. Period. Don’t like it? Too bad. The stick.

This makes defensive security work a people problem first, a technical problem second.

Cat herding large numbers of human beings to consistently do the same boring things correctly every day, even when they’re bored, even when they’re tired, even when they’re grumpy, even when they’re staring at a phishing email and don’t know it’s a phishing email, even when everything around them is going wrong — that is the job of defensive security.

Don’t ask your employees to do the secure thing. They won’t. Take choices away from them and replace their workflow with your judgment.

This is the only way to scale defensive security when you face real adversaries on the cyber domain.