In our first-ever IT Security Guru Tweet Chat, we were joined by Javvad Malik, Dr. Jessica Barker, Mo Amin, Ed Tucker and Lisa Forte as they debated the human factor in security. These leading figures from within the cybersecurity community, whom have a wealth of experience and are best placed to talk about the importance of the human element, are deeply passionate about this widely discussed topic.
Too much technology?
We began with a question that focussed on technology and the pivotal role it is playing within cyber today. It could be said that organisations have become too dependent on this component of security. But why? Well, the community certainly feel that technology offers an element of convenience that perhaps humans can’t provide.
A1. Yes, and mostly because people and process are hard, or seen to be. Harder than obtaining budget for and buying a shiny box of magic. The best fuse people, process and technology into an interconnected construct, because that is what it is throughout the business. #ITSecGuru https://t.co/T72OK5wr8K
— Ed Tucker (@Teddybreath) June 9, 2020
Well, this started off by going right for the jugular.
I do agree there is a large dependency on tech. Too often we look to solve people problems with tech. When a conversation would usually suffice. cc @LisaForteUK @drjessicabarker @infosecmo @Teddybreath https://t.co/anHQIgxVhb
— Javvad Malik v2.0 (@J4vv4D) June 9, 2020
A1: Tech is inherent in security; so are people & processes. Latter two get overlooked because it can feel easier to focus on tech. Focus is often on superficial causes of breaches (eg the latest vuln) rather than root causes (eg insecure dev or poor system design). #ITSecGuru https://t.co/0FypiiHtiS
— Jess (@drjessicabarker) June 9, 2020
You are the weakest link, goodbye
Humans also have the added stigma of being referred to as the ‘weakest link’ within security, and so this reliance on technology may seem justified. Yet, by disregarding or not addressing this mindset, organisations are essentially missing the chance to solve a critical problem within the overall security of their organisation, especially as the human factor is essential for any business. Building education and awareness from within is key.
A2: It is an easy buck to pass and root cause analysis is hard for most organisations. Staff shouldn’t have to have the burden of being told “to be secure”. Carrying on with that rhetoric only builds distrust with staff. #ITSecGuru https://t.co/nbGeaUsXz0
— Mo Amin (@infosecmo) June 9, 2020
A lot of this has emerged from a position of arrogance. Security pros feeling like they’re better than everyone else and not looking inwards at where their own shortcomings may be. #ITSecGuru https://t.co/WdKhxlxQCj
— Javvad Malik v2.0 (@J4vv4D) June 9, 2020
A2: Back in the helpdesk days, there was always the joke of ID10T errors-end users were criticized because they just didn’t know. We fail as cybersecurity professionals if we don’t educate everyone. Understand the basic cyber hygiene measures. #ITSecGuru
— James (@James_McQuiggan) June 9, 2020
What resources should be prioritised?
We then asked whether businesses are investing their resources in the wrong places to tackle security and if compliance was driving this? With global data security and privacy regulations severely punishing those found non-compliant, there is a strong possibility that many business decision-makers wrongfully believe that being compliant automatically means the business is secured.
Compliance can be box ticking. In some industries it is necessary but it doesn’t mean it is sufficient. Focus on the assets that need protection and have a plan for what happens it it all goes wrong and you are breached #itsecguru https://t.co/MADA2N2SGE
— Lisa Forte (@LisaForteUK) June 9, 2020
One error I see often is investing in tech first without understanding the threat landscape and business risk appetite (and priorities) first. Understand what the real issues are and what’s important, then invest resources that add the most value. #ITSecGuru https://t.co/wwk1ebvqd1
— Javvad Malik v2.0 (@J4vv4D) June 9, 2020
A3: Lack of effective governance and risk management of both their investments and resources. Organizations need to strike a balance between conformance and performance.
— Jaded InfoSec Pro (@edwardmccabe) June 9, 2020
Businesses don’t appreciate the costs or complexity of security nor the risks. Security specialists don’t do a good job of communicating and reconciling this with senior management.
— 😷 Tim Morgan 🖤 (@tjcmorgan) June 9, 2020
What is more detrimental – poor knowledge or poor security?
Next, it was time to find out what the security community viewed more dangerous for a business: a cyber unaware workforce or a security system that has been misconfigured. Well it depends…
A4: This is chicken and egg: a cyber unaware workforce is more likely to have misconfigured systems and not know about it! #ITSecGuru https://t.co/L3TKNMCSSB
— Jess (@drjessicabarker) June 9, 2020
I think both clearly pose risks but users that are unaware of the sensitivity of data, the threats posed by attackers and the common tactics employed leave you (and them personally) fat more vulnerable #itsecguru https://t.co/St5lKl92rv
— Lisa Forte (@LisaForteUK) June 9, 2020
A4 It depends on your environment and what the classification of the data is that’s held on the system. But generally your staff should have an overall understanding of the risks that your business faces and how they can help to keep it secure. #ITSecGuru https://t.co/vGlRXyYH9h
— Mo Amin (@infosecmo) June 9, 2020
A4. Ah…….it depends (FINALLY!)
They each represent parameters of risk. Weaknesses or vulnerabilities which might, or might not be exploited, or controls that might, or might not be effective. Neither is greater than the other without context. #ITSecGuru https://t.co/igJQkXZBF3
— Ed Tucker (@Teddybreath) June 9, 2020
CISO/Security Leaders take note
Where do CISO’s and security leaders go wrong when trying to obtain sufficient backing from the boardroom to enable them to build a security programme? it is clear they have an up-hill battle convincing management on how to invest when it comes to security.
A5: Use the right language, avoid technical jargon and focus on issues from the angle which resonates with your ‘audience’. Familiarise yourself with annual reports for your org, understand the business priorties and consider the wider organisational culture. #ITSecGuru https://t.co/HWKzGwQsUv
— Jess (@drjessicabarker) June 9, 2020
Q5. What are the common mistakes CISOs make when trying to obtain sufficient backing from the boardroom when trying to build a security programme? #ITSecGuru
— IT Security Guru (@IT_SecGuru) June 9, 2020
Invest is needed, but make it the right investment
But what happens if investments are made? We still continue to see data breaches and successful cyberattacks plague organisations of all sizes. So, why shouldn’t we lose hope? Where should CISOs and security leaders focus their efforts?
Step back and examine where your actual risk is. This will help invest time and money more wisely. I really like the approach @rogeragrimes takes to this in his book ” Data-Driven Computer Security Defense”
Many CISOs need to prioritize better and this will help #ITSecGuru https://t.co/qejuhcDlIg
— Madsqu1rrel (@ErichKron) June 9, 2020
This fight isn’t over!!! We need to invest in making the attackers work as hard for their money as we do for ours! We need a plan for if we are attacked and we need to test that plan. Where are the “life ruining” assets- focus on them. #itsecguru https://t.co/r4pTEP68U8
— Lisa Forte (@LisaForteUK) June 9, 2020
Focus on the basics. Incidents will happen. Be prepared.
— 😷 Tim Morgan 🖤 (@tjcmorgan) June 9, 2020
A6. Breaches have always happened, but one of our biggest issues is that we continue to operate in theory, and often scaremongering theory at that. Evidence, facts, demonstrable impact (good and bad). #ITSecGuru https://t.co/Q6iljaal6p
— Ed Tucker (@Teddybreath) June 9, 2020
Building a security culture
For security professionals looking to establish a strong security culture or at least have a platform to build from, here is some advice from our panellists:
A7: I’ve run and helped run culture studies in the past e.g. survey+focus group. Though this only provides a one time baseline i.e. you’ll need to run annual ones. We need to move to a data led quantitative approach… https://t.co/iWakFQB5MG
— Mo Amin (@infosecmo) June 9, 2020
A7. Involve security as little as possible. Engage the people executing business processes. Promote and foster relationships, collaboration, understanding, empathy, talking, but more importantly listening. Let the business lead you. It is their culture not yours! #ITSecGuru https://t.co/6ZBtdXPZ1I
— Ed Tucker (@Teddybreath) June 9, 2020
Culture / behavioural change takes time. So don’t expect things to rapidly change. Measure the behaviours that mean the most to you – train – re-measure to see how that has changed. Tweak and retrain. Think of it like a marketing campaign not a security one. #ITsecGuru https://t.co/fgI8e6ONKw
— Javvad Malik v2.0 (@J4vv4D) June 9, 2020
A7: Listen to your colleagues in the rest of the business, understand your wider company culture (don’t try to just bolt security culture on!) and recognise that within one organisation there will be many different sub-cultures. #ITSecGuru https://t.co/zopJq2M9gU
— Jess (@drjessicabarker) June 9, 2020
Identify high risk staff (people with access to the good stuff) Give them more in depth or face to face trainings. Get decent awareness training for all. Use phishing tests but look at developing skills not catching people out. Get staff to see the personal impact of cyber crime https://t.co/VC3MvTRMQe
— Lisa Forte (@LisaForteUK) June 9, 2020
To close the chat…
The previous questions generated a great discussion and provided insight around the difficulties, problems and issues security professionals are faced with when trying to tackle cybersecurity. But the last question nails home the significance and importance of having the human element in security.
Yes! Because humans always interact with technology. We all run on the same hardware. We are all subject to similar vulnerabilities and biases so in many ways with the right awareness and culture it is one of the easiest elements of security to fix. We know the weaknesses https://t.co/S4hleD59Ji
— Lisa Forte (@LisaForteUK) June 9, 2020
A8. Yes. There’s humans everywhere throughout the business and security itself. PEOPLE, process and technology. If you ignore the human factor, the whole human factor, you’ll fail miserably. Well, more miserably. #ITSecGuru https://t.co/26wh2PwLU7
— Ed Tucker (@Teddybreath) June 9, 2020
A8: In my up-coming book I cover the technology lifecycle and the fact that people are involved in every stage: design, creation, testing, use, abuse and destruction. So, yes, effective security always involves people! #ITSecGuru #ShamelessSelfPromotion inspired by @J4vv4D 😁
— Jess (@drjessicabarker) June 9, 2020
A8: Fundamentally, we are trying to influence org culture. So in short, yes. Whilst we need to appreciate people, process and technology. We need to delve deeper into the people side of things… https://t.co/jz41P7hPL5
— Mo Amin (@infosecmo) June 9, 2020
Yes, because much like self-driving cars, as much as we’ve advanced technology, I wouldn’t trust it completely without the human factor. Plus involving people can bring about the Ikea effect… https://t.co/D4cfZNkpCp pic.twitter.com/GwvjB6N08c
— Javvad Malik v2.0 (@J4vv4D) June 9, 2020
And if you needed any more clarification as to why we shouldn’t solely depend on technology, I shall revert you to this reply…
As long as you have humans in your organization, absolutely.
Even Skynet had to deal with the human factor, just a bit differently #ITSecGuru pic.twitter.com/W3uqiIJWIU
— Madsqu1rrel (@ErichKron) June 9, 2020
If you were unable to make the Tweet Chat, no worries, simply follow the IT Security Guru or search the hashtag #ITSecGuru to see the Q&A.
