Your New Tools and Policies Won’t Save You

Written by

Our world is driven by technology. Most industries heavily rely on technology in one form or another, whether it’s through automation through machines, innovation as a business, collaboration, communication. However, as quickly as we evolve and advance technologically, in many cases, underlying problems were never addressed.

How many times have you heard of a company that bought the Cadillac version of a type of software and then found that it wasn’t worth the money? The initial problem was never solved, the technology absorbed the processes but didn’t fix the underlying processes. No piece of technology is a silver bullet and no technology will be able to solve processes riddled with gaps. Think of it this way, if the software was the house you were planning to build, you can use the nicest materials and have the best contractors building the house, but if the foundation is in disrepair the house will fall apart in a matter of years. Then it becomes the blame game; was it the contractors; was it you who ignored the problem; was it the inspector that didn’t catch the holes in the foundation; was it faulty building materials? With this blame shifting, we never learn from our mistakes and how to avoid them in the future; and if we tried to build a new house it will only fall apart again in a few years. It seems what we have collectively forgotten is that technology cannot solve human problems.  

This same problem plagues policies too. Creating a new policy will not drive behavior. A successful policy must have a process and supplemental documentation like standards and guidelines in place. Like layers on a cake, you have to build from the ground up, and that first layer is ensuring your processes and people completing them are functional—without that, your cake will topple over. Additionally, communication and end user adoption is key. Writing policies, or any document for enforcement within an organization, communication and education of those impacted is critical.

How does this have anything to do with cybersecurity?

Almost daily we hear about breaches of organizations. Technology is often the scapegoat. However, it’s important to take into consideration how the breaches occurred. The 2020 Verizon DBIR report tells a vastly different picture. According to Verizon’s report, 22% of breaches were related to phishing, 4% of breaches are due to lost / stolen assets, and 37% of breaches were due to stolen or lost credentials. Although technology could help prevent some of those breaches, the fundamental root cause is human.

Your organization can have a superb email security policy or technology, which will be entirely ineffective if your end users don’t understand what to look for in suspicious emails and aren’t consistently trained. It just takes one click. Your organization could have a state-of-the-art security operations center, but no amount of logs or technology will prevent an end user from writing down their passwords on a post-it note and taping it to the bottom of their device.

As an industry, it’s critical that as we hurtle towards artificial intelligence, automation and new security technologies to protect our organizations, we cannot forget that humans will always be a part of the equation. There have been numerous polls recently published where cybersecurity experts have indicated that they expect AI will replace their jobs in the next 10-15 years. While I certainly agree there are more than likely parts of cybersecurity that will become a thing of the past, the fact of the matter will always be that the human component will always be the weakest link in the chain and no one understands humans more than humans. Cybersecurity experts will always be needed to communicate, educate and translate technology and security to the lay person so we can prevent the next big hack.

Aldous Huxley was once quoted as saying “Technological progress has merely provided us with more efficient means for going backwards.” As an industry, I implore cybersecurity to not embody this. Technology paired with education, awareness, processes and controls will go miles further than just that “new shiny” tool.

What’s hot on Infosecurity Magazine?