For all the escalating and intensifying digital challenges that cybersecurity professionals must constantly mitigate and navigate, perhaps the biggest security vulnerability of all is decidedly analog: Our own human fallibility.
“People get tired,” says Digital Big Bang author Phil Quade. “They make mistakes. They are poorly trained. People will continue to undermine the security of our systems, so we must actively and intelligently use machines to compensate for human limitations.”
It is a delicate balance between needs that often seem at odds with each other, and the negative and positive consequences of digital innovations.
“A defining attribute of our species is our unresolvable contradictions,” Quade notes. “We are intensely social, drawing together to form highly interconnected societies and systems. We also can be shockingly antagonistic and prone to conflict. Our finest minds have worked tirelessly for the benefits of humanity, but some of their work has been harnessed for greed and exploitation. This is certainly true of the digital universe.”
The key to resolving these conflicts is to avoid dichotomies and false choices, such as between security and privacy. “Until we embrace the fact that it’s not security or privacy but both, sustainable higher order cybersecurity will not thrive,” Quade says.
Balancing these conflicts efficiently often starts with shifting the perspective.
“Many organizations have focused on finding purely technical solutions,” says Michael Daniel of Cyber Threat Alliance. “They hope for a single technological tool that would solve the challenge and make the problem go away. But one tool is simply not going to do the job. It requires integrating approaches from a number of different disciplines in order to get at the problem, and moving out of the mindset that because this problem is being generated by the IT environment, the solution has to therefore come from IT. In other words, as a CIO or a CISO, you’re no longer just managing IT and security; you’re managing complexity.”
Managing this complexity takes on even greater significance when privacy issues arise, though. And when organizations fail to strike the proper balance, they risk creating a level of complexity that creates far more challenges—including shadow IT created by users finding workarounds to features they find invasive.
At the same time, intensifying regulations such as GDPR have implemented costly penalties for privacy violations.
“In the GDPR era, organizations must know what information they gather and why,” advises Kevin Miller of MGM Resorts International. “Information that was previously considered so benign as to be included on a business card is now covered data—a name, postal address, email, telephone number, and a photograph on an employee badge. To many modern digital businesses, data is considered the company’s most valuable asset. But now, data may also be considered a liability and even a risk. If you collect it, you must protect it.”
That scenario of internal workarounds and external regulations creates high stakes for many organizations. The solution may be addressing the human error directly.
“You can always apply technology solutions to a problem, but it only takes the least capable person in the room to ruin them for you, so you must also take a human approach,” says Kevin Kealy, formerly of Ingram Micro. “In my experience, education is one of the most cost-effective ways to secure your organization. I believe that people will generally do the right thing if appropriately educated. But even then, you still have to deal with human frailty.”
The solution? “Design for the human,” says Theresa Payton of Fortalice. “Use behavioral analytics and existing data to provide better security while making access to the resources they need to do their job as easy and seamless as possible.”