There’s a phrase that’s become gospel in cybersecurity: “Employees are the last line of defense.”
We’ve built an entire industry around it. Billions of dollars in security awareness programs, mandatory simulations and user-reporting workflows across endpoints, applications and collaboration tools. All predicated on a premise that sounds reasonable until you examine what we’re actually asking.
Here’s what we’re asking: for the marketing coordinator, the accounts payable clerk and the sales rep to catch what sophisticated security tools and trained professionals missed.
That’s not a security strategy. That’s asking farmers to repel mercenaries.
The hierarchy we don’t talk about
Think of the actual defensive capabilities in a typical organization.
Your security team has years of specialized training, access to SIEM platforms, threat intelligence feeds and forensics tools. Their full-time job is defense.
Your CISO has decades of experience, strategic visibility across the organization and the authority to make architectural decisions. Defense is their entire professional identity.
Your employees have a short annual training module, a reporting workflow and whatever attention they can spare from the job they were actually hired to do.
We’ve built a multi-billion dollar industry around the idea that the third group will succeed where the first two are failing.
The evidence is already in
This isn’t a theoretical complaint — it shows up in research on how real SOCs work. A study by the University of Oxford based on surveys and interviews with SOC practitioners found they “confirmed the high” false-positive rates of tools in use, and that many “false positives” are actually benign triggers that still require human validation.
That’s not employee failure. That’s employees doing exactly what we trained them to do — and the training is producing volume rather than clarity.
User reporting systems have become noise amplifiers. Employees are encouraged to flag anything that feels out of pattern: unusual access prompts, unexpected system messages, automated workflows, new integrations, time-sensitive requests. These signals once indicated risk. Today, they often reflect how modern, automated businesses actually operate. The cues we taught employees to distrust increasingly describe normal work.
Meanwhile, SOC teams are drowning. It’s not just the queues — it’s the human cost. ISACA’s 2024 research found 66% of cybersecurity professionals say the job is more stressful now than it was five years ago, citing a more complex threat landscape alongside resourcing constraints.
And our answer is: the accountants will save us.
The real human layer
Here’s the contrarian take the industry needs to hear: the ‘human layer’ that matters isn’t your employees. It’s your security team.
When we talk about the human element in security, we should be talking about the CISOs running on four hours of sleep during an incident. The analysts pattern-matching across thousands of signals. The threat hunters who notice something slightly off in authentication logs. The architects who see the structural weakness before it becomes a breach.
These are elite defenders. Trained professionals. The actual human intelligence in your security posture.
If they can’t keep up — if their capacity is consumed by false positive triage, user-submitted reports, operational escalations and the constant pressure to clear queues — then no amount of awareness training for end users is going to close that gap.
You don’t compensate for overwhelmed special forces by handing rifles to farmers.
The uncomfortable math
Let me walk through what’s actually happening in most organizations:
The security team receives hundreds of alerts daily. Many originate from automated controls, user reporting workflows and precautionary detections designed to err on the side of caution. A significant percentage require investigation — you can’t know something is harmless until you look. Each investigation takes 15–20 minutes. The math quickly consumes 100% of available analyst capacity.
When false positive volume hits capacity, strategic threat hunting drops to zero. There’s no time for pattern recognition across multiple signals, correlation with threat intelligence or the slow careful analysis that catches sophisticated attacks.
The sophisticated attacks don’t announce themselves. They wait in queue, looking like everything else. Detection becomes random — a function of luck, not design.
This is the crisis facing the actual human layer of defense. And we’re addressing it by asking frontline employees to identify subtle anomalies in systems and workflows that already passed through layers of automated controls.
What this means
I’m not arguing that baseline security hygiene is worthless. Employees should follow sensible practices and avoid obviously risky behavior. Basic discipline matters.
But we’ve elevated awareness training from ‘basic hygiene’ to ‘strategic defense,’ and that elevation is dangerous. It creates a false sense of coverage. It allows organizations to underinvest in actual defensive capability because they’ve ‘addressed the human element.’
The human element that needs addressing is your security team’s capacity. Their tools, their processes, their ability to do strategic work instead of drowning in noise.
Even regulators and standards bodies implicitly acknowledge the same bottleneck: monitoring has to be implemented in a way that minimizes false positives and false negatives — because human review capacity is finite.
The question worth asking
Every CISO should be asking: What percentage of my security team’s capacity is consumed by work that doesn’t actually reduce risk?
If the answer is ‘most of it’ — if your analysts spend their days clearing precautionary alerts, reviewing benign activity and responding to internal escalations driven by uncertainty rather than threat — then you have a human layer problem.
But the solution isn’t more training for end users. It’s restoring capacity to the people actually trained to defend you.
The farmers have fields to tend. Let them farm.
The question is whether your mercenaries have room to fight.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?