In my time in the trenches, and in my previous role as a Gartner research analyst and industry advisor, I spent a LOT of time helping organizations across the world think through their cybersecurity programs. Much of this time was thinking through the defensive measures and how technology can assist.
However, even with the best technological defenses, there is a good chance that a persistent attacker can penetrate most organizations with relative ease; this is because the attacker will take the path of least resistance – a human – to bypass technical defenses.
Because technology will never be 100% effective in preventing security incidents, I’ve adopted the following saying: “Technology is important, but flawed…and humans are flawed, but important.”
It is only when we fully accept both parts of the statement above that we can begin making real strides in better securing our organizations.
So, what does that look like?
I’m a big fan of the NIST Cybersecurity Framework. It’s not perfect – but it is great at helping create a structured process for thinking and planning a robust cybersecurity strategy. The framework outlines five areas for planning; they are:
- Identify
- Protect
- Detect
- Respond
- Recover
Most of you will have at least a passing familiarity with the NIST Framework, so I won’t waste space rehashing it. But, if you aren’t familiar with the framework, please take some time to review it. You won’t be sorry.
So, here’s where my axiom from above comes in… “Technology is important, but flawed… and humans are flawed, but important.” The vast majority of organizations I’ve seen who work through the NIST framework do so in a technology-centric manner. My recommendation is simply to also map each element to human-centric processes and controls.
Making a human-centric Cybersecurity Framework
Here is a quick brainstorm of how this might work for your organization.
Identify:
- Catalog the points at which humans interact with technology and data
- Survey employees, contractors, etc., to get an assessment of their security-related attitudes and practices
- Survey executives to catalog their understanding of security practices, data exposure, business risk associated with breach, attitudes toward security, etc.
- Perform threat modeling exercises that explicitly use humans as an attack vector and/or as a potential point of weakness
Protect:
- Schedule security awareness campaigns for critical topics
- Implement behavior management programs for areas such as phishing, social engineering, password hygiene, etc.
- Establish processes that encourage or enforce secure behaviors
- Implement technologies that help steer employees towards more secure behaviors
Detect:
- Implement processes for reporting suspected phishing events
- Implement processes for reporting other suspected security-related incidents or concerns
- Conduct frequent simulated phishing and other social-engineering tests to determine where you need to enhance training or other processes
- Collect data from Security Information and Event Management (SIEM), Data Leak Prevention (DLP), Employee Monitoring Systems, web proxies, and Endpoint Protection Platforms (EPPs) to see where employees are falling short of desired behavioral outcomes
Respond:
- Establish policies and procedures for how your organization will respond to different types of human related security errors
- Establish phishing response procedures
- Develop plans for communicating enterprise threats and known issues
- Design/model remediation for human-centric issues. Remediation can be any combination of people, processes, and technologies
Recover:
- After-incident reviews and communication
- Implement improvements
There is immense value in adopting a framework because of the structured manner of thinking that it helps impose. I hope that this brief blog post was useful to help get your creativity flowing as you consider how to adopt the NIST Cybersecurity Framework – or something similar – to map-out controls and processes for your human layer.