Nisha Kappillil, Principal Analyst at CybelAngel, joined members of our global team in San Francisco last week for RSA 2020. Motivated by the conversations she had with other information security professionals during the event, she’s sharing her insights and recommendations for how to change the view of humans as a risk variable to humans as a valuable security resource.
RSA 2020 was, despite all the fears of reduced attendance, a very action-packed few days. Alongside the CybelAngel team, I had conversations about today’s evolving risk profiles, security experiences, and best practices with information security professionals from across all industries. Whether I was diving into challenges faced by teams from financial services, consumer goods, or heavy manufacturing, I was struck by the fact that many cyber security risks are truly universal.
Cyber security risks present a common threat that is not discriminatory or prejudice in who it impacts. Anyone and everyone can be a potential target. And as potentially terrifying as that is, it’s also a uniting factor, bringing the security community together with a common goal—to mitigate that risk.
Following on RSA’s theme of ‘The Human Element’ one of the unifying concerns that came up in my discussion with CISOs and CIOs was that humans are, essentially, walking risk factors. My outlook on this negativity is actually reversed. I see humans—employees—as integral resources in an organization’s battle against data leaks or breaches, provided they’re engaged correctly.
If you’re looking for ways to transition your employees from security risks, to security resources, here are my three pieces of advice:
1. Expand awareness and training to address human negligence.
Malicious activities are, to be frank, a sexy topic in the security field. Dark web, hackers, foreign bad actors—all topics that do a great job of attracting attention. And yet, of the most critical data leak alerts CybelAngel sends to our customers, 93% of them are caused by negligence. Moving employee education beyond identifying phishing attempts and protecting their passwords is key in reducing negligence.
Introducing training on best practices for topics such as sharing data with third-parties, avoiding unauthorized tools or shadow IT, ensuring proper configuration on cloud platforms, and how to use personal devices like NAS drives securely can help reduce risk of negligent leaks by well-meaning employees.
Taking this a step further, why not share your organization’s best practices and training materials with your vendors, partners and other third-parties? They may not have the same resources or maturity as your teams, and sharing this knowledge will help them keep your sensitive data safe.
2. Stop thinking that technology will solve all your problems.
The right technology, whether integrated in your networks, or services operating outside your systems will undoubtedly help reduce your risk of data leaks. But it can’t do all the work. One of the things I found most exciting when I joined CybelAngel was that there was robust artificial intelligence and machine learning at work in the solution —machine learning that had been refined for 5+ years, and continued to be innovated.
But once I dove into my work as a cyber analyst servicing our customers, I realized that technology isn’t stand alone magic. We can’t underestimate the value of a human touch. Technology will help you scale your security coverage, but there’s no replacing the value humans bring to contextualizing risks and providing actionable insights.
3. Ensure teams are focusing on the work that matters.
No one ever has a big enough budget, or enough resources. Headcount on teams can be hard to increase, and that makes it especially important that your organization has their highly skilled security teams working on the right things.
How does this help transition humans from security risk to resource? Security employees struggling with strained bandwidth won’t be able to perform their work as effectively, and things can slip through the cracks.
As part of my work with customers, I deliver incident reports that are used by SOC teams to prioritize and guide their activities. Because these reports are all validated (no false positives or simply suspicious findings) I receive the feedback that I’ve helped them avoid the hassle of trying to get through the flood of non-value add alerts that they are sent by other security providers.
I encourage you to take a look at where your teams’ skills are strongest, and focus on prioritizing their work to allow them to dedicate their time and energy there. Combing through Shodan to look for open IPs, ad hoc exploration of domain names, even the work of remediation may not be strong strategic use of their limited bandwidth, and can be outsourced.
One of my favorite things about RSA 2020 was having the opportunity to connect with people from all over the world, from all different industries—all of us driven by common security goals. As so many of us spend our days in front of a screen (or several screens!), being together in person, to chat, explore, and share our insights was invaluable. Exactly ‘The Human Element’ I enjoy so much about my work in cybersecurity.