Security would be easy without users.
That statement is as absurd as it is true. It’s also true that business wouldn’t be possible without users. It’s time to look at the big picture when it comes to cybersecurity.
In addition to dealing with every new risk, vulnerability and attack vector that comes along, cybersecurity pros need to understand their own fellow employees – how they think, how they learn and what they really want.
The human element — the individual and social factors that affect cybersecurity — are as important as technology in protecting against malicious cyberattacks. And yet, in general, most cybersecurity professionals are far more adept, knowledgeable and focused on the technology side.
However, “human failure” will be responsible for over half of all major cyber incidents over the next three years, according to a Gartner report.
And so we find ourselves heading into another season of growing cyberattacks with a gross mismatch between the focus of cybersecurity professionals and the factors that protect against it.
It’s time for a reset.
NIST’s 6 most common security pitfalls
In a recent article by the National Institute of Standards and Technology (NIST), computer scientist Julie Haney focused on the misconceptions commonly held by security specialists about users. As an expert in both cybersecurity technology and the human factor, Haney noted that those misconceptions were mostly about communicating with users.
Called “Users Are Not Stupid: Six Cyber Security Pitfalls Overturned,” the paper highlighted the basics of how and why to partner with users, rather than view them as “the enemy”.
- Assuming users are clueless.
- Not tailoring communications to the audience.
- Unintentionally creating insider threats due to poor usability.
- Having too much security.
- Depending on punitive measures or negative messaging to get users to comply.
- Not considering user-centered measures of effectiveness.
In her paper, Haney cited two studies. One found that 82% of 2021 breaches involved the human element.
And the other pointed out that in 2020, 53% of U.S. government cyber incidents involved employees violating acceptable use policies or falling prey to social engineering attacks.
Nobody needs convincing that people are the problem. But it’s less intuitive to know that people are the solution, too — or, at least, a big part of it.
On that latter point, the research is clear, according to Haney. But cybersecurity pros just aren’t focusing on that research.
One starting point is to read Haley’s NIST paper, linked above. I would endorse her list, and add a few more items.
New mindset: Turning users into partners
Cybersecurity feels like war. And that naturally leads to cybersecurity staff forming a combative mindset.
Tasked with securing a massive and growing cybersecurity attack surface, constantly evolving threat landscape, vulnerability-prone software, insider threats, new and unprecedented challenges (like the recent shift to remote work), limited budgets, a persistent skills shortage and general understaffing and other constraints — users just seem like another set of problems coming at you.
It’s intuitive to see users as a huge part of the problem; less so viewing them as a huge part of the solution.
Focus on shared objectives. The larger conversation between cybersecurity staff and employees feels like the security pros have one set of objectives (preventing and dealing with cyberattacks) that feel at odds with the objectives of everyone else in the organization (winning customers, earning profits, achieving growth goals, minimizing customer loss and many others).
The big picture is that the larger goals of the organization are shared goals. All those business objectives depend on cybersecurity — security is part of what makes them possible. By focusing on shared objectives, users will partner more readily.
Keep language positive; avoid the negative. Focusing on “failure”, “mistakes” and “errors” demoralizes at scale. And demoralized employees who feel intimidated and stupid won’t have the mindset to partner on cybersecurity. Praise good behavior rather than criticize bad behavior. Emphasize the joy of success over the sorrow of failure. Help users understand how and why they’re helping with security, rather than just handing down edicts.
Speak in business terms, not abstractions. Whether talking to the c-suite in budget meetings or the sales staff in cybersecurity training, express yourself in business terms — time and money saved or lost, rather than assuming the facts around cybersecurity can be appreciated in the abstract.
Use plain, respectful language. Learn to express yourself in plain, jargon-free language. Jargon makes sense and provides specificity and clarity to the professionals who dwell in that jargon but can be alienating in the extreme to people outside your profession. Avoid the temptation to solve this mismatch by insisting that users learn the jargon. Instead, learn to express those ideas without jargon and condescension.
Focus on building trust. Consistently express commitment to the objectives of users and be transparent about what you’re trying to accomplish to build empathy, a shared sense of mission and mutual trust.
Forget how to coerce; learn how to persuade. Persuasion is an art that can be learned, and it’s far more effective than coercion. If you use threats and force, users may “route around” your directives every chance they get. But with persuasion, you’ll get users to want not only to follow the letter of best practices but the spirit as well.
Assume most information will be forgotten. CybSafe research found that only 10% of workers remember all their cybersecurity training. The majority of users need reinforced learning, multiple angles of communication and other methods to create a culture of cybersecurity, rather than a training session that all are expected to memorize.
Don’t wait. One reason user communication falls short is the usual list of not enough time, staff or money to prioritize this initiative over other, more pressing concerns. But some of Silicon Valley’s most innovative CEOs will tell you that duress and crisis is the best time for innovation and change.
Securing an organization against persistent cyberattacks is not just a technology role. It’s a leadership role as well. Learn to lead through effective human-centric communication. The ability to excel at both sides is the most valuable package of skills a cybersecurity pro can possess.