Cybersecurity likes to pretend it’s a science problem.
It isn’t. Not really.
It’s a people problem that we’ve wrapped in technical language because that feels more precise, more controllable. We talk about what’s most secure, what aligns with frameworks, what checks the right boxes. We build systems that make sense on paper.
And then we hand them to people who have jobs to do.
That’s where things start to slip.
Because security that isn’t usable doesn’t get used. And the moment people start working around your controls, it doesn’t matter how strong they were to begin with. They’ve already failed.
At its core, cybersecurity lives in the tension between two things that don’t always get along. There’s the science of secure, and there’s the reality of what people can actually live with.
The science side is clean. It’s structured. It gives us things we can point to and defend.
Defense in depth. Zero trust. Encryption. Segmentation. Multi-factor authentication. Compliance frameworks like NIST, HIPAA, ISO.
All of it matters. All of it has a place. These are the guardrails. They’re what keep small mistakes from turning into disasters.
But they come with an assumption that rarely gets said out loud. They assume a kind of perfect world. Perfect implementation. Perfect understanding. Perfect behavior.
That world doesn’t exist.
What does exist is people trying to get through their day.
People who are juggling deadlines, interruptions, broken tools, unclear instructions. People who don’t think about security unless something goes wrong. People who will take the shortest path that lets them do their job.
That’s where the art comes in.
Designing for real humans means letting go of the idea that users are the problem to be fixed. It means asking harder questions. Not “is this secure,” but “can someone actually use this without breaking their workflow.”
It means simplifying access without opening the door too wide. It means understanding context. It means explaining risk in a way that lands, not just technically, but personally.
Because when something is too rigid, people don’t push back in meetings. They adapt quietly.
They write passwords down. They share accounts. They build little workarounds that make sense in the moment and create invisible risks over time.
Not because they don’t care.
Because the system didn’t work for them.
I’ve seen what happens when that balance gets ignored.
I stepped into a role once where the previous security lead had done everything “right.” Every framework box checked. Every policy documented. Nearly 300 pages of it.
On paper, it was airtight.
In practice, it was unusable.
No one followed it. Not because they were reckless, but because they couldn’t. It didn’t reflect how the organization actually operated. It didn’t account for the people who had to live inside those rules every day.
By the time I got there, the damage wasn’t just technical. It was cultural. Trust was gone. Security wasn’t seen as a partner. It was seen as an obstacle.
Fixing that didn’t start with better controls. It started with listening.
What are people trying to do? Where are they getting blocked? What feels unnecessary, and what actually introduces risk?
From there, it became a series of compromises. Not the kind that weaken security, but the kind that make it real.
You take the workflow. You take the control. You find the point where they can coexist.
Sometimes that means scaling something back. Sometimes it means adding friction in a different place. Sometimes it means explaining the “why” until it finally clicks.
That’s where things start to change.
Because when people understand what you’re protecting and why it matters, they stop seeing security as arbitrary. When controls fit into their day instead of disrupting it, they stop looking for ways around them.
That’s where adoption happens.
There’s this persistent myth that usability and security are opposites. That if you make something easier, you’ve made it weaker.
What actually happens, more often than not, is the opposite.
When something is intuitive, it gets used correctly. When it makes sense, people follow it. When it respects the way people work, it becomes part of the workflow instead of something bolted on top of it.
And that’s where security gets stronger.
So the question isn’t how to choose between the science and the art. You need both. The question is how early you bring the human side into the conversation.
If you wait until the end, you’re just reacting to resistance. If you bring it in at the start, you design something people can actually carry.
Talk to stakeholders before the controls are locked in. Test usability with the same seriousness you test for vulnerabilities. Treat education and empathy as part of the control, not an afterthought.
And keep the goal in front of you.
Security isn’t there to gatekeep. It’s there to enable the business and protect the people inside it.
The strongest programs aren’t the ones with the most rules. They’re the ones people can follow without feeling like they’re constantly pushing uphill.
Because in the end, security only works when it’s both secure and available.
That’s the balance.
That’s the work.
And that’s where it finally starts to feel like it’s doing what it was meant to do.