Proofpoint's latest 'voice of the CISO' report includes this depressing statement: "Year after year, human error continues to rank as the greatest cybersecurity vulnerability". Aside of the fact that viewing human error as a root cause of a vulnerability is a fallacy ('cause' is simply where we decide to stop looking further), this points to the fact that at the highest levels of the biggest organisations we continue to blame users for poor security outcomes. I feel like I need to have this decades-old statement printed on a plaque I can point to: "Rather than being the main instigators of an accident, operators tend to be the inheritors of system defects created by poor design, incorrect installation, faulty maintenance and bad management decisions. Their part is usually that of adding the final garnish to a lethal brew whose ingredients have already been long in the cooking." (James Reason, Human error)