Over the past 20 years, the security industry has focused on technology to solve its complex problems. Yet despite decades of research and the myriad security vendors, products and technological advancements that have emerged year after year, the threat landscape is more active today that it has ever been, with no signs of abating. Why? What critical information has eluded cybersecurity companies and prevented them from stemming the tide of data breaches?
At Nuix, we believe this missing link relates to human beings. Experience has taught us that the vast majority of data breaches were not the result of failures in technology, but of poor decision-making by the people responsible for the victim organisation’s security programme. This is supported by a recent survey of corporate security officials sponsored by Nuix, showing 93% of CIOs and CISOs believe human behaviour is the biggest threat to their organisations’ security.
By focusing on technology and ignoring the human element in cybersecurity, organisations have been fighting the wrong battle, with the wrong weapons for the past two decades. Implementing this 10-step action plan will help them correct their course.
1. Admit there is a problem and that it needs to be addressed:
The first step in every recovery programme is realising there is a problem and committing to take action to resolve it. You cannot begin to address a problem that you can’t or won’t admit is actually there. Count the cost, commit and act!
- Garner top-down support: A security programme cannot be successful without top-down commitment, support and evangelisation. The leadership team within the organisation must be utterly committed to the security programme or it will become an exercise in futility and a colossal waste of money, time and energy. Even worse, if an underfunded programme fails (and it likely will), the organisation will face a backlash for publically saying that “security is important” without following through.
- Locate and overcome cognitive biases: Cognitive biases are limitations in our brain’s ability to process information, which can cause illogical decision making and poor judgement. Some psychologists believe our cognitive biases help us process information more efficiently, especially in dangerous situations, so our instinctive fight-or-flight mechanism has an advantage. While these biases may be useful in, say, avoiding being eaten by a bear, they also sometimes lead us to make grave mistakes, in many cases without our ever being aware of what we are doing.
Through introspection, training and role playing, it is possible to retrain our brains to behave differently. As you seek to implement this phase, you should retain the services of a professional executive coach, as this process will not be easy, and will very likely cause a lot of political and social upheaval within the company.
- Understand the return on investment for security: Spending time, energy and resources on security is not a net loss. When weighed up against regulatory fines, the costs of post-breach litigation and the decrease in revenue from losses of customer confidence and market share, there is definite wisdom to investing in security.
- Understand that compliance regimes are only part of the solution: Compliance will never equal security. If governance, risk management and compliance regimes alone could prevent data breaches, problems such as payment card breaches would have been eliminated decades ago. However, it is still a good idea to align the organisation’s security posture with a compliance regime. But you should never expect that compliance alone will make the organisation’s environment safe from attackers.
- Learn from your mistakes (and other people’s): Implement an after-action review process for all breaches, whether they are publicly disclosed or not. If you think beyond the impact to your own organisation about what you can learn from an incident, it will help others avoid a similar situation. That can only benefit everyone involved, including you.
7 .Institute a ‘train as you fight’ security philosophy: Just like the military is myopically focused on going to war, you should zero in on preparing for a cyberattack. Doing so will put you in a much better position to handle a real incident when, not if it happens.
- Create a culture of security-minded employees: Security is everyone’s responsibility. Client-side attacks such as social engineering, spear phishing and browser-based exploits are among the most common and most effective attack vectors. Every employee, contractor, third party vendor, intern or volunteer should understand the basics of identifying, deflecting and reporting these attacks.
- Realise security is a journey, not a destination: Becoming secure is not something you do, it’s something you are. There is no beginning or end to this journey. You will not reach the end of a strategic initiative, declare victory and celebrate your hard work. This is a long-term commitment that will change and evolve over time.
- Marrying human intelligence and technology is the key to victory: You should aim to engineer out as many human intersection points as possible to reduce the opportunity for errors. In those areas where automation cannot replace human interaction, the people in those positions should be extensively trained and equipped with software that will act as an intelligence multiplier.
For two decades we’ve been designing security technology to solve technology problems; in essence, we’ve been fighting the wrong battle. If technology has a role, it must be to help solve people problems.
By addressing the human vulnerability, organisations can reduce the number of opportunities for people to make mistakes, therefore ensuring they are exponentially more prepared, and subsequently more successful than they have ever been in protecting themselves against cyber threats.
By Chris Pogue, Chief Information Security Officer, Nuix