DTX Manchester DTX Manchester
  • About Us
Wednesday, 20 January, 2021
IT Security Guru
CTX Manchester 2020 banner ad
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Tweet Chat: The Human factor in Security

...You are the weakest link, goodbye

by Sabina
August 11, 2020
in Featured, Opinions & Analysis, This Week's Gurus, TweetChat
Tweet chat
Share on FacebookShare on Twitter

In our first-ever IT Security Guru Tweet Chat, we were joined by Javvad Malik, Dr. Jessica Barker, Mo Amin, Ed Tucker and Lisa Forte as they debated the human factor in security. These leading figures from within the cybersecurity community, whom have a wealth of experience and are best placed to talk about the importance of the human element, are deeply passionate about this widely discussed topic.

Too much technology?

We began with a question that focussed on technology and the pivotal role it is playing within cyber today. It could be said that organisations have become too dependent on this component of security. But why? Well, the community certainly feel that technology offers an element of convenience that perhaps humans can’t provide.

A1. Yes, and mostly because people and process are hard, or seen to be. Harder than obtaining budget for and buying a shiny box of magic. The best fuse people, process and technology into an interconnected construct, because that is what it is throughout the business. #ITSecGuru https://t.co/T72OK5wr8K

— Ed Tucker (@Teddybreath) June 9, 2020

Well, this started off by going right for the jugular.

I do agree there is a large dependency on tech. Too often we look to solve people problems with tech. When a conversation would usually suffice. cc @LisaForteUK @drjessicabarker @infosecmo @Teddybreath https://t.co/anHQIgxVhb

— Javvad Malik v2.0 (@J4vv4D) June 9, 2020

A1: Tech is inherent in security; so are people & processes. Latter two get overlooked because it can feel easier to focus on tech. Focus is often on superficial causes of breaches (eg the latest vuln) rather than root causes (eg insecure dev or poor system design). #ITSecGuru https://t.co/0FypiiHtiS

— Jess (@drjessicabarker) June 9, 2020

You are the weakest link, goodbye

Humans also have the added stigma of being referred to as the ‘weakest link’ within security, and so this reliance on technology may seem justified. Yet, by disregarding or not addressing this mindset, organisations are essentially missing the chance to solve a critical problem within the overall security of their organisation, especially as the human factor is essential for any business. Building education and awareness from within is key.

A2: It is an easy buck to pass and root cause analysis is hard for most organisations. Staff shouldn’t have to have the burden of being told “to be secure”. Carrying on with that rhetoric only builds distrust with staff. #ITSecGuru https://t.co/nbGeaUsXz0

— Mo Amin (@infosecmo) June 9, 2020

A lot of this has emerged from a position of arrogance. Security pros feeling like they’re better than everyone else and not looking inwards at where their own shortcomings may be. #ITSecGuru https://t.co/WdKhxlxQCj

— Javvad Malik v2.0 (@J4vv4D) June 9, 2020

A2: Back in the helpdesk days, there was always the joke of ID10T errors-end users were criticized because they just didn’t know. We fail as cybersecurity professionals if we don’t educate everyone. Understand the basic cyber hygiene measures. #ITSecGuru

— James (@James_McQuiggan) June 9, 2020

What resources should be prioritised?

We then asked whether businesses are investing their resources in the wrong places to tackle security and if compliance was driving this? With global data security and privacy regulations severely punishing those found non-compliant, there is a strong possibility that many business decision-makers wrongfully believe that being compliant automatically means the business is secured.

Compliance can be box ticking. In some industries it is necessary but it doesn’t mean it is sufficient. Focus on the assets that need protection and have a plan for what happens it it all goes wrong and you are breached #itsecguru https://t.co/MADA2N2SGE

— Lisa Forte (@LisaForteUK) June 9, 2020

One error I see often is investing in tech first without understanding the threat landscape and business risk appetite (and priorities) first. Understand what the real issues are and what’s important, then invest resources that add the most value. #ITSecGuru https://t.co/wwk1ebvqd1

— Javvad Malik v2.0 (@J4vv4D) June 9, 2020

A3: Lack of effective governance and risk management of both their investments and resources. Organizations need to strike a balance between conformance and performance.

— Jaded InfoSec Pro (@edwardmccabe) June 9, 2020

Businesses don’t appreciate the costs or complexity of security nor the risks. Security specialists don’t do a good job of communicating and reconciling this with senior management.

— 😷 Tim Morgan 🖤 (@tjcmorgan) June 9, 2020

What is more detrimental – poor knowledge or poor security?

Next, it was time to find out what the security community viewed more dangerous for a business: a cyber unaware workforce or a security system that has been misconfigured. Well it depends…

A4: This is chicken and egg: a cyber unaware workforce is more likely to have misconfigured systems and not know about it! #ITSecGuru https://t.co/L3TKNMCSSB

— Jess (@drjessicabarker) June 9, 2020

I think both clearly pose risks but users that are unaware of the sensitivity of data, the threats posed by attackers and the common tactics employed leave you (and them personally) fat more vulnerable #itsecguru https://t.co/St5lKl92rv

— Lisa Forte (@LisaForteUK) June 9, 2020

A4 It depends on your environment and what the classification of the data is that’s held on the system. But generally your staff should have an overall understanding of the risks that your business faces and how they can help to keep it secure. #ITSecGuru https://t.co/vGlRXyYH9h

— Mo Amin (@infosecmo) June 9, 2020

A4. Ah…….it depends (FINALLY!)

They each represent parameters of risk. Weaknesses or vulnerabilities which might, or might not be exploited, or controls that might, or might not be effective. Neither is greater than the other without context. #ITSecGuru https://t.co/igJQkXZBF3

— Ed Tucker (@Teddybreath) June 9, 2020

CISO/Security Leaders take note

Where do CISO’s and security leaders go wrong when trying to obtain sufficient backing from the boardroom to enable them to build a security programme? it is clear they have an up-hill battle convincing management on how to invest when it comes to security.

A5: Use the right language, avoid technical jargon and focus on issues from the angle which resonates with your ‘audience’. Familiarise yourself with annual reports for your org, understand the business priorties and consider the wider organisational culture. #ITSecGuru https://t.co/HWKzGwQsUv

— Jess (@drjessicabarker) June 9, 2020

Q5. What are the common mistakes CISOs make when trying to obtain sufficient backing from the boardroom when trying to build a security programme? #ITSecGuru

— IT Security Guru (@IT_SecGuru) June 9, 2020

Invest is needed, but make it the right investment

But what happens if investments are made? We still continue to see data breaches and successful cyberattacks plague organisations of all sizes. So, why shouldn’t we lose hope? Where should CISOs and security leaders focus their efforts?

Step back and examine where your actual risk is. This will help invest time and money more wisely. I really like the approach @rogeragrimes takes to this in his book ” Data-Driven Computer Security Defense”

Many CISOs need to prioritize better and this will help #ITSecGuru https://t.co/qejuhcDlIg

— Madsqu1rrel (@ErichKron) June 9, 2020

This fight isn’t over!!! We need to invest in making the attackers work as hard for their money as we do for ours! We need a plan for if we are attacked and we need to test that plan. Where are the “life ruining” assets- focus on them. #itsecguru https://t.co/r4pTEP68U8

— Lisa Forte (@LisaForteUK) June 9, 2020

Focus on the basics. Incidents will happen. Be prepared.

— 😷 Tim Morgan 🖤 (@tjcmorgan) June 9, 2020

A6. Breaches have always happened, but one of our biggest issues is that we continue to operate in theory, and often scaremongering theory at that. Evidence, facts, demonstrable impact (good and bad). #ITSecGuru https://t.co/Q6iljaal6p

— Ed Tucker (@Teddybreath) June 9, 2020

Building a security culture

For security professionals looking to establish a strong security culture or at least have a platform to build from, here is some advice from our panellists:

A7: I’ve run and helped run culture studies in the past e.g. survey+focus group. Though this only provides a one time baseline i.e. you’ll need to run annual ones. We need to move to a data led quantitative approach… https://t.co/iWakFQB5MG

— Mo Amin (@infosecmo) June 9, 2020

A7. Involve security as little as possible. Engage the people executing business processes. Promote and foster relationships, collaboration, understanding, empathy, talking, but more importantly listening. Let the business lead you. It is their culture not yours! #ITSecGuru https://t.co/6ZBtdXPZ1I

— Ed Tucker (@Teddybreath) June 9, 2020

Culture / behavioural change takes time. So don’t expect things to rapidly change. Measure the behaviours that mean the most to you – train – re-measure to see how that has changed. Tweak and retrain. Think of it like a marketing campaign not a security one. #ITsecGuru https://t.co/fgI8e6ONKw

— Javvad Malik v2.0 (@J4vv4D) June 9, 2020

A7: Listen to your colleagues in the rest of the business, understand your wider company culture (don’t try to just bolt security culture on!) and recognise that within one organisation there will be many different sub-cultures. #ITSecGuru https://t.co/zopJq2M9gU

— Jess (@drjessicabarker) June 9, 2020

Identify high risk staff (people with access to the good stuff) Give them more in depth or face to face trainings. Get decent awareness training for all. Use phishing tests but look at developing skills not catching people out. Get staff to see the personal impact of cyber crime https://t.co/VC3MvTRMQe

— Lisa Forte (@LisaForteUK) June 9, 2020

To close the chat…

The previous questions generated a great discussion and provided insight around the difficulties, problems and issues security professionals are faced with when trying to tackle cybersecurity. But the last question nails home the significance and importance of having the human element in security.

Yes! Because humans always interact with technology. We all run on the same hardware. We are all subject to similar vulnerabilities and biases so in many ways with the right awareness and culture it is one of the easiest elements of security to fix. We know the weaknesses https://t.co/S4hleD59Ji

— Lisa Forte (@LisaForteUK) June 9, 2020

A8. Yes. There’s humans everywhere throughout the business and security itself. PEOPLE, process and technology. If you ignore the human factor, the whole human factor, you’ll fail miserably. Well, more miserably. #ITSecGuru https://t.co/26wh2PwLU7

— Ed Tucker (@Teddybreath) June 9, 2020

A8: In my up-coming book I cover the technology lifecycle and the fact that people are involved in every stage: design, creation, testing, use, abuse and destruction. So, yes, effective security always involves people! #ITSecGuru #ShamelessSelfPromotion inspired by @J4vv4D 😁

— Jess (@drjessicabarker) June 9, 2020

A8: Fundamentally, we are trying to influence org culture. So in short, yes. Whilst we need to appreciate people, process and technology. We need to delve deeper into the people side of things… https://t.co/jz41P7hPL5

— Mo Amin (@infosecmo) June 9, 2020

Yes, because much like self-driving cars, as much as we’ve advanced technology, I wouldn’t trust it completely without the human factor. Plus involving people can bring about the Ikea effect… https://t.co/D4cfZNkpCp pic.twitter.com/GwvjB6N08c

— Javvad Malik v2.0 (@J4vv4D) June 9, 2020

And if you needed any more clarification as to why we shouldn’t solely depend on technology, I shall revert you to this reply…

As long as you have humans in your organization, absolutely.

Even Skynet had to deal with the human factor, just a bit differently #ITSecGuru pic.twitter.com/W3uqiIJWIU

— Madsqu1rrel (@ErichKron) June 9, 2020


If you were unable to make the Tweet Chat, no worries, simply follow the IT Security Guru or search the hashtag #ITSecGuru to see the Q&A.

0 0 vote
Article Rating
FacebookTweetLinkedIn
ShareTweetShare
Previous Post

Issues with Windows 10 Printing due to June 2020 Updates

Next Post

Qbot Malware Targets US Bank Customers

Subscribe
Notify of
guest
guest
0 Comments
Inline Feedbacks
View all comments

Recent News

View from the back of an aeroplane aisle.

Airline Passenger Data Stolen by Hackers

January 20, 2021
iPhone X/11, open Mail application with empty inbox. To the left of the phone is a green plant.

Emails exposed to SolarWinds Hackers

January 20, 2021
Money signs

Covid-19 and Brexit result in 70% of UK financial firms suffering cyber-attacks

January 20, 2021
Camera lense

1.4 million Pixlr user records shared on hacker forum

January 20, 2021

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

More information
wpDiscuz
0
0
Would love your thoughts, please comment.x
()
x
| Reply
Privacy Settings / PENDINGGDPR Compliance

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Accept