At this year’s European Information Security Summit, I deconstructed a real-world cyber security incident in order to highlight different ways that human misperceptions and flawed human judgment will often undermine the well-thought-out security protocols and high-powered defensive equipment that could, on their own, pre-empt or contain a breach. People are usually the Achilles’ heel of a good cyber security programme, and that’s why people have to be the primary focus of a successful programme.
The most important piece of advice I offered in my presentation was that all of us in the cyber security community have to overcome our basic human tendency to avoid unpleasant confrontations. We have to act, and act swiftly, when we encounter aberrant behaviour in the workplace that might foretell future (deliberate or accidental) misconduct. In simplest form, this idea starts with paying attention to what’s going on around you, and then directly addressing the early manifestations of a potential problem before it evolves into a catastrophe. Yes, we have to get into the workplace and interact with other human beings. Tweaking firewall rules and tightening password policies are a waste of time when every employee has an unregulated smartphone, a home broadband connection, and access to worldwide social media communities.
My argument seemed to resonate with the audience. All of us, around the world, have the same common problem: we work with people. People, being people, are complicated, overstressed, distracted, and subject to significant and often unpredictable pressures. Many a violation of security protocols could be neutralised early on if only someone in the workplace would pay attention to the potential violator’s early behaviour and take action to address their issues. Patch a leaking tyre now to prevent a blowout later. We do that with operating systems – we need to do the same with human beings.
A cyber security programme that focuses on static rhetoric and draconian policies isn’t likely to have any meaningful effect on the people who most need help from the cyber security team. For us to make a practical difference, we need to have a welcome presence down to the shop floor. We must make it clear to all of our fellows that we value them each and every one as individuals. We need to demonstrate that we’re concerned about each worker’s personal success, and that we want to be their trusted guardians – not to be their oppressors or be an obstacle on their path to success. We need the rest of the business to trust us, and for that to happen, we need to invest in building legitimate, reliable relationships with the people that we’re empowered to support and protect.
Professional relationships matter! From a programmatic perspective, you can’t convince an overburdened and stressed-out line-of business employee to take personal responsibility for the abstract defence of their kit if they’re deeply worried about more immediate concerns. In parental calculus, a small child with a fever takes precedence over remembering to close out applications and lock a workstation at the end of the day. That’s not laziness or malfeasance – it’s just the parent role taking precedence over the employee role. We should empathise, not castigate.
Talk to your people. Learn what their problems are, and help solve them. Earn your co-workers’ trust by helping to shoulder their burdens, and they’ll help you by paying attention to your announcements, monitoring their systems, and reporting suspected indicators of adversary action. Be your workers’ ally first, and they’ll reciprocate by becoming an extension of the cyber security department in turn.