People are the Most Important Piece of the Cybersecurity Puzzle, by Stephen Bonner
In IT, there is a common belief that a good programmer is 10 times more valuable and productive than a mediocre one. But developers are working in a relatively static environment. Their goals are constant – once you’ve written code that works really well, the environment doesn’t adapt to break it. There is business change, but the underlying approach is still optimal for that environment.
Cyber is another world – once we solve a problem, the environment and the attackers in it evolve to attempt to invalidate our solution. We must refresh our knowledge, and continually update our work, just to stay in the same place.
If we give a mediocre programmer a value of one, and the rock star equivalent 10, we might find that a mediocre security professional, even after all their tools are factored in, is still a one. The rock star equivalent, with the addition of tools, will become a 100.
Tools are a force multiplier, but multiples of zero are still zero. In the worst case, an incompetent security professional, given powerful tools, may actually become dangerous. For example, it is easy to block legitimate business emails with a poorly configured data loss prevention system, while still allowing essential information to be stolen.
A poor-quality security professional doesn’t just fail to implement good security – they can cause a security breach. Social engineering and phishing succeed because of a failure on the part of staff – a failure that cannot be prevented with technology.
There are plenty of people selling tools to solve your problems and superficially this can seem tempting. But default configurations are for default organizations, and your organization isn’t default.
In the right hands, tools can be useful, but in the wrong hands, tools can also be turned against us. Attackers will often attempt to gain access to security control systems and exploit these to extend their footprint within organizations.
Because tools are predictable, attackers train against them until they can defeat them, then they launch attacks – only a swift response by skilled people can outwit attackers.
In my years of cybersecurity work, I’ve found the key ingredients to successful cybersecurity are context, creativity and communication.
"A poor-quality security professional doesn’t just fail to implement good security – they can cause a security breach"
You need to look at the context of a situation to understand whether a particular behavior is cause for concern, or perfectly normal. Tools are beset with false alarms – they don’t understand context, and hence they over-alarm or miss subtle cues that a skilled human would pick up.
In order to respond to an incident and outwit the attackers, you need creativity. Attackers become familiar with responses, so new ones are more likely to trip them up. Although cybersecurity is a higher priority in many organizations than it once was, it is still rarely a high priority for a development team – you need creativity to help them meet your goals without missing their own.
Communication, within and beyond your organization, is key to cybersecurity success. Approachable, friendly members of staff with strong people skills get better information from all directions and convince the entire organization to do the right thing. When was the last time a robot convinced you of anything?
When users are given automated responses that do not convey the logic behind them, they focus their creativity on circumventing your controls, not embracing them.
Context, creativity and communication are all things that tools are unfortunately terrible at. Pop-up browser warnings are laughably ineffective – most users click ‘Yes’ without even reading the associated text, but an informed discussion by a passionate security professional can swiftly strengthen a user’s online behavior.
I concede that tools are essential to deal with low-level repeated attacks. They automate much of the growing workload that we all face. The shortage of skilled people elevates their importance, but only when properly configured, managed and maintained. Tools without craftspeople give a false sense of security, while they rust in the corner.
In Re-assessing Security, Technology Holds the Key, by Charles Foley
We’re now facing the next phase of cybersecurity attacks, with new ‘bad guys’ and attack vectors. As with any paradigm shift, pundits are up in arms, asking ‘How is this happening? Why don’t our defenses hold up?’ This has ballooned into one of the stronger debates occurring in IT meetings – and even boardrooms – globally.
It raises a key dilemma: budget is finite, so do we hire more security experts, or spend on advanced technology to keep us safe?
Unfortunately, that’s a flawed decision process from the start, with either road leading to failure. Simply hiring more IT security experts won’t necessarily enhance competency; you may simply find yourself with a greater number of uninformed people.
Likewise, throwing money at an ever-escalating array of firewalls and network appliances is not guaranteed to pay off either. You could find yourself broke and exposed (with lots of iron). So does this mean you’re damned if you do, and damned if you don’t?
Not necessarily. The fact is that, to fight the current (and future) onslaught of cyber-criminals, organizations must revitalize three core areas: strategies, competencies, and technologies. Start by revisiting your core strategy of defense.
The starting line in the post-Snowden, Target-sensitized, Sony-aware era is one fundamental question: ‘Do we have the right strategy to secure data in today’s world?’
Most experts agree that the IT industry needs to enact a rapid shift from ‘network-centric’ to ‘data-centric’ strategies. With the tidal wave of BYOD and wholesale defection to the cloud, legacy strategies built on a secure-the-perimeter mind-set are no longer adequate; there simply is no network perimeter to secure any longer.
Incredibly sensitive communications – such as confidential emails – are done on BYOD smartphones. Users tap ubiquitous cloud storage for housing product plans, IP, and financials with no idea of the security parameters. Board presentations are delivered to Wi-Fi tablets in coffee shops around the world. Hence, the strategy focus must shift from ‘protect the perimeter’ to ‘protect the data’.
"Today, every single corporate user is a potential breach point; you can’t assign an IT expert to each employee and stay in business."
Only a move from ‘castle walls’ to ‘bodyguards’ can ensure that information is safe regardless of where it’s created, where it’s sent, where it’s stored, or who finds a way to get their hands on it.
And you can’t scale enough to do this with just people – it must be done with technology.
This doesn’t mean you should stop investing in intellectual capital. But don’t rely on acquiring more so-called experts. Today, every single corporate user is a potential breach point; you can’t assign an IT expert to each employee and stay in business.
It’s simple math: when all users were in a single network perimeter (circa 2000), you could invest in a stronger perimeter, with a few ‘guards’ patrolling. But now that there is no perimeter (circa 2015), you must realize that the only path to safety is to assign a ‘bodyguard’ to each user, in essence making sure each user has a mini-CISO riding shotgun at all times. To scale, these mini-CISOs can’t be people, they must be technology instances.
This thinking should drive your new technology investment strategies.
Technology to protect today’s mobile, cloud-based information has to be ubiquitous, all-encompassing, and smart. It should be ubiquitous in that it protects data on any device users employ; all-encompassing in that it analyzes any kind of data to see if it’s sensitive and potentially toxic; and smart in that it identifies and encrypts sensitive information the moment it’s created, staying with it regardless of where it’s sent, stored, or used, even if the user doesn’t know this is going on.
Prioritize your IT investment strategy to increase and re-validate the competency of your team (~10%); fill ‘gaps’ that might exist on the team (~10%); and invest in technologies (~80%) that are perimeter-agnostic, and data-centric. That’s how you keep from being tomorrow’s data breach story of the day.