Security: It’s All about the People

Written by

As the Rolling Stones once said: please allow me to introduce myself. I’m Joe O’Halloran and it’s my pleasure to be stepping into the shoes of Eleanor Dallaway for the next year during her maternity leave, building on the phenomenal job that she has been doing here, as editor and publisher, for so long.

After more years than I’d like to mention reporting on IT security, and even working for a leading vendor of security products and services for over five years, I feel qualified to say that there are not many sectors quite like this industry. How many people working in other sectors could make claim to the fact that the fundamental nature of their industry was so far reaching? So innovative? So fast moving? So fundamental to the smooth and effective running of businesses, no matter its size, nature or location.

A classic example of the latter was the breach at Sony Pictures in November 2014, something that had far reaching repercussions for not only the company itself — just look how many senior executives present before the attack are not there anymore — but for all firms. It’s the type of event that sends a shiver down the spine of all of those in charge of protecting businesses. The fallout from the Sony attack is still dropping and given the sheer volume of confidential information stolen it seems there will be more to come for some time. It’s all a huge case study in reputational damage, and, if rumors are to be believed, a sign of a more worrying trend of sophisticated nation-state backed cyber-espionage and cyber-war.

Much less threatening, but clearly showing the level of innovation, invention and creativity of the hacking community, has been the use of games as an entry mechanism vehicle. The recent past has seen a number of people — apparently including the NSA — attempting to use app stores to send malware to targets via popular games.

But the good news is that even though the nature and location of threats becomes more diverse, widespread and – well yes – innovative, the security industry is ready to step up to the plate to counter such threats with its own degree of effectiveness and innovation.

Indeed, security strategies are evolving rapidly, becoming more proactive as regards to not only protection, but also detection, response and recovery.

Yet despite the technology that such things are based on, I’ve always been of the view that fundamentally, security is all about people. It’s all about the nature of the attacker, what their motivations and objective are; the nature of people whose human nature makes them fall prey to such attacks. Indeed, what are social engineering attacks but the result of bad decisions by people, who have been influenced and manipulated? In the games example, one successful threat vector has been burying malware in apps that are cheats for Minecraft. Caution does seem to go out of the window when it comes to games.

For example, successful proactive defense is based not just on understanding the technical nature of attacks, it’s a case of getting to know the enemy and the personalized context of the plans and techniques used to successfully carry out a cyber-attack. It’s all about arming yourself with the intelligence required in order to really know your adversaries and understand their gameplay.

But before you can arm yourself, you need to be funded to do so, and this is contingent on getting buy-in from your senior management. It may seem spell-blindingly obvious, but as essential as it is for effective information risk management, the fact is that ensuring this buy-in isn’t yet universal common practice.

Security is all about people. It’s all about the nature of the attacker, what their motivations and objective are; the nature of people whose human nature makes them fall prey to such attacks.

Even though cybersecurity has made it on to some board agendas as a result of increasing regulation, government pressure, and high-profile breaches, this doesn’t always translate into effective information security decision-making or support. There has always been an element that regards security as a resource and investment sink where budgets always increase. As those of us in the industry know, there are very good reasons for this continual added investment; but it’s wrong to assume that this is appreciated everywhere.

This all places increasing importance on knowing how to articulate risk to your senior management effectively, demonstrating return on investment and earning their buy-in. That means that it’s crucial to have the people skills to sell to your management the idea of just how important security is, that it is a profit center that protects both tangible and intangible company assets. No company board would argue with that.

There are few certainties in life but one surely is that IT security threats will increase in terms of scale and location. Alarmingly, it would appear that even commercial aircraft are now a target for hacking – mid-air.

But in a market that changes almost by the hour, I’d like to guarantee one thing that won’t change: the excellence and relevance of the Infosecurity product you’ve been used to dealing with. That’s the Infosecurity brand. I’m looking forward to what the industry has to offer.

What’s hot on Infosecurity Magazine?