TEISS Head of Consulting, Jeremy Swinfen Green, talks to Martin Smith about the human side of cyber security.
At the TEISS2018 conference, one of the three breakout streams is "Culture and education", chaired by Martin Smith of The Security Company. I asked Martin why he feels that cyber security professionals have ignored the human factor for so long.
"Things are getting better," he said. "Even as recently as 2 years ago this wasn’t on the radar of the average CISO."
But it is still not good. And the trouble is, Martin told me, that so many CISOs come from a technology background. The solutions they buy are technology solutions: people, communicating – that’s not always in their comfort zone.
Also of interest: The cyber skills gap
No money in prevention
The profession is driven by software suppliers who sell solutions to problems. That's a difficulty. There is no money in preventing those problems from happening in the first place. It’s a bit like health. We spend a huge amount of money on drugs and hospitals. If we spent more money on promoting healthy living we wouldn’t need so many hospitals.
"We are addressing the wrong issues", says Martin. "We are all brain surgeons because that’s the sexy thing to be. But the patient is dying of 'flu."
In fact there is no doubt that our failure to address the human side of cyber security is where things are going wrong. On the whole the technology side of things is working. “Look at all the breaches that have happened recently, look at WannaCry: in almost every case the problem has been caused by human failures, not technology failures."
"We’ve fixed the car," he says. "We have the airbags, the power steering, the brakes. But we keep on crashing the car."
Also of interest: Cyber spend rising
It’s not all bad
It is getting better. CISOs are beginning to address issues around people. The membership of SASIG - Security Awareness Special Interest Group - the free-to-join organisation Martin Smith set up several years ago, has doubled in the last year. (I have been to some of these meetings and can’t recommend them highly enough.)
And organisations are starting to recruit security awareness professionals.
Unfortunately though it still seems to be a bit of a box-ticking exercise. "Awareness professionals are being recruited. But often they don’t have a background in security. And they are set up with no budget and no resources. It’s not surprising that they default to Computer Based Training and posters which is all they are able to deliver. It’s still being dealt with at such a basic level."”
"We have joined the gym: but we haven’t started going yet."
Addressing the human side of cyber security needs a strategic approach, an approach that takes in the whole organisation (not just IT), backed up by structured planning, proper resourcing and metrics that can prove effectiveness.
Martin uses the example of software that delivers mock phishing attacks. This sort of tool is popular, perhaps because it delivers some measurable results. But is it effective? “All it does is irritate people”, he says, “irritates the bosses, irritates the employees. You click on a link that looks like it comes from the HR department and get told off and made to go on some CBT. What’s the point?”
What indeed. "Education as punishment?" I suggest. "Yes! We are good at raising people’s anxiety levels. But not so good at helping them keep safe"
Also of interest: Security tops the bill
Cyber, culture and education
So work in progress then. These aren’t difficult concepts. And they deserve to be taken seriously. But keeping people cyber safe does require a structured approach, an approach that reaches across the whole of an organisation.
Martin will be helping us to understand how to achieve that at TEISS 2018. It should be fascinating.