Cybersecurity is (not only) about Technology
Matthew Rosenquist
CISO at Mercury Risk. - Formerly Intel Corp, Cybersecurity Strategist, Board Advisor, Keynote Speaker, 190k followers
One of the biggest misconceptions is thinking cybersecurity is only about technology. When in fact, people and their behaviors, play a prominent role in almost every aspect of protecting digital assets. Without proper consideration for the human element, security strategies are destined to fail miserably.
In this Week’s Video Blog
I cover some of the aspects, history, and recommendations for better perspectives to improve security planning by embracing the human factors.
Cybersecurity cannot be achieved with just technical controls. Technology and people are two sides of the same coin and must be handled together. A strong anti-malware suite is meaningless if the end-user disables it so they can install a new piece of desired software. The best network firewall is ineffective if the user bypasses it by bringing in a USB drive to directly connect to systems. The strongest password is pointless if users fall for phishing scams and give it to attackers. The best software code eventually becomes exploitable if it is not engineered by the designers to be patched when new vulnerabilities are discovered.
Then there are the attackers. Behind every network intrusion, spam email, ransomware campaign, and denial-of-service attack is a real person. It may be technology that executes the acts, but it is a human who is initiating and coordinating it. Attackers are driven by motivations that manifest into objectives. These are then pursued by whatever methods are at the attackers’ disposal.
A cyber-criminal is typically motivated by personal financial gain. Therefore, they seek to obtain monetary assets through theft, fraud, extortion, or other means. They target, like the famed bank robber Willie Sutton, ‘where the money is” and will follow the path-of-least-resistance to obtain their objectives. These factors determine targets and drive behaviors which may result in phishing, ransomware, network breaches, fraudulent sites, malware, or many other technical possibilities. If one fails, they move on to another. If a method is successful, they refine it and press further for more gain.
Predominant View
I have found most people in cybersecurity are narrowly focused only on the technical aspects and largely ignore the behavioral side of the equation. This is a grievous mistake. Perhaps they are not comfortable with understanding the behavioral perspectives or believe that by simply closing all the vulnerabilities, security will magically be fixed. Regardless, most initially feel that technology can overcome people’s bad decisions, poor behaviors, and malicious intent. They are wrong.
Those who are not security savvy, fail to see that technology is just a tool. Those tools are wielded by people, for their purposes and sometimes in unexpected or mistaken ways. Therefore, there will always be significant gaps in security if both technology and behaviors are not addressed simultaneously.
Weak Security Strategy
Cybersecurity plans that only focus on system patching, firewall rules, access control lists, and passwords are immature for today’s challenges. It is no longer enough. Training of users, developers, operations, and even customers is very important. We must not rely on uneven perimeter defenses. Security must be woven throughout the system to be truly effective, both from a cost and risk perspective.
Advice
Embrace both sides of the equation, both technical and behavioral. Don’t be blindsided by only looking at cybersecurity through a technology lens. Although tech is hugely important, so is comprehending the behavioral aspects of people, from attacker to victim, involved in the ecosystem.
Understanding both technology and behavioral controls will help close significant gaps in risk mitigation efforts.
More Cybersecurity Misconceptions videos can be found at the Information Security Strategy YouTube channel
Interested in more? Follow me on LinkedIn, Twitter (@Matt_Rosenquist), YouTube, Information Security Strategy, and Steemit to hear insights and what is going on in cybersecurity.
--
6 年mostly about human quality and competency
and provide tech that fixes the behavior. eliminate the passwords and you eliminate what the users compromise
Technical Program Manager - Pro code, Low code, Cloud native apps
6 年firm, which puts lot of efforts to spread cyber security awareness aming employees, contractors and any other in chain, will have most cyber resilient system system built.
Leadership Advisor - Security, Risk & Compliance - M&A
6 年If you are going to aim at changing human behaviour, you should address the root cause. Direct your attention to changing the behavior of hackers and theives. Alternatively remove humans from the equation start working on AI and automate all knowledge worker jobs involved with sensitive data and systems management. Which you have a better chance of success than changing people.
Cybersecurity Lead | MSc | SSCP |
6 年Correct not only technology can protect.The main and core item is people knowledge on what is cyber security and how not to be attached. Social engineering is one example.