"If you accept that security is a process, and if you can eliminate the human interaction or intervention in that process by automating more, that is a good thing"
About this Quote
Thompson is selling a managerial worldview in which risk becomes something you can continuously tune, like a thermostat, rather than a crisis you heroically “solve.” Calling security a process does quiet rhetorical work: it reframes breaches and failures not as moral lapses or bad actors, but as predictable outcomes in a system that can be optimized. That’s classic enterprise thinking, and it’s persuasive because it swaps fear for control.
The sharper move is the phrase “eliminate the human interaction.” On the surface it’s a pragmatic nod to human error: people click the phishing link, reuse the password, ignore the patch schedule. Underneath, it’s an argument about authority. Automation doesn’t just reduce mistakes; it centralizes decisions in tools, policies, and the teams that configure them. The “good thing” isn’t only fewer incidents, it’s fewer unruly variables - fewer judgment calls, fewer exceptions, fewer employees improvising around security to get work done.
Context matters: Thompson comes out of the era when security stopped being a perimeter and became an always-on, networked problem - cloud services, remote work, sprawling vendors, nonstop alerts. In that environment, “process” means endless vigilance, and automation is pitched as the only scalable way to keep up. The subtext is also a budget argument: invest in platforms, not headcount; in repeatable workflows, not bespoke heroics.
It works because it flatters executives with a promise: you can buy consistency. The uneasier truth it sidesteps is that automation shifts human involvement rather than erasing it - from end users to the small group that builds, trains, and governs the machines.
The sharper move is the phrase “eliminate the human interaction.” On the surface it’s a pragmatic nod to human error: people click the phishing link, reuse the password, ignore the patch schedule. Underneath, it’s an argument about authority. Automation doesn’t just reduce mistakes; it centralizes decisions in tools, policies, and the teams that configure them. The “good thing” isn’t only fewer incidents, it’s fewer unruly variables - fewer judgment calls, fewer exceptions, fewer employees improvising around security to get work done.
Context matters: Thompson comes out of the era when security stopped being a perimeter and became an always-on, networked problem - cloud services, remote work, sprawling vendors, nonstop alerts. In that environment, “process” means endless vigilance, and automation is pitched as the only scalable way to keep up. The subtext is also a budget argument: invest in platforms, not headcount; in repeatable workflows, not bespoke heroics.
It works because it flatters executives with a promise: you can buy consistency. The uneasier truth it sidesteps is that automation shifts human involvement rather than erasing it - from end users to the small group that builds, trains, and governs the machines.
Quote Details
| Topic | Privacy & Cybersecurity |
|---|
More Quotes by John
Add to List
