Tackling the People Problem in Security

Security is a constantly moving target, all right. But which of these three pillars—people, process and technology—is the most vexatious issue in hitting the bull’s-eye?

Felix Mohan, one of India’s top experts on information security, addressed this question at the Delhi leg of DynamicCISO Regional Security Summit recently. (The summits are held in multiple cities in India.)

To make the point loud and clear, Mohan used a simple but powerful twin-visual. The first part showed a cube with a small hole on the front side. The revelation came in the second part, which showed a much bigger hole on the back surface (Didn’t want to say “back side”).

Now, here’s the crux: the tiny hole, which covered barely 10% of the surface area, represents security breaches because of technology gaps; the Real McCoy is the people angle to security, the 90% hole in the other side of the cube through which most incidents actually occur.

And yet, startling as it may seem, 80% of the security budget in a typical organization goes toward plugging that small, tech-related hole. Only a disproportionately small portion of the budget (20%) is allocated for addressing the people issues.

That is not to say that all those next-gen firewalls, data leak prevention tools and encryption solutions do not deserve your attention and investment. But the alarming rise of socially engineered attacks, password/identity thefts and advanced persistent threats all point to the dire need for putting people at the very core of your security strategy.

An indication of the people angle’s significance is the new acronym, PCS, coined by Gartner. In a blog post, Gartner analyst Tom Scholtz describes People-Centric Security as “a strategic approach to information security that emphasizes individual accountability and trust, and de-emphasizes restrictive, preventive security controls.”

The growing role of users in InfoSec is also highlighted in several industry studies. For one, according to the recent 2015Black Hat Attendee Survey, 33% of respondents believe that the weakest link in today’s enterprise IT defenses is “end users who violate security policy and are too easily fooled by socially engineered attacks.”

High concern over the people problem in security even prompted one consultant, Peter Thompson, to give this intriguing headline to his article in a newsletter: “Are you patching your people?”! Thompson further quotes the famous US prez Benjamin Franklin as having once remarked: “Three may keep a secret, if two of them are dead.”

The impact of the gallows humor in Franklin’s remark (which was made way back in 1735) should not be lost on today’s CIOs and CISOs.

But far from wishing for grave consequences for people who can’t help sharing passwords with their cats and girlfriends, what today’s IT decision makers require is adoption of constant training and re-training of people in security best practices—beginning with the top management down to the last employee, even if that person is an outsourced “resource” (who, for all you know, could be a good recourse for hackers out there).

The Cisco 2015Annual Security Report makes some interesting observations and raises relevant questions on people-related issues, among other aspects. Let me just pull out an excerpt here:

“With users becoming ever-weaker links in the security chain, enterprises have choices to make when implementing security technologies and policies: As developers try to make applications and software more intuitive and easy to use, do organizations open new loopholes for cybercriminals to exploit? Do enterprises bypass users, assuming they cannot be trusted or taught, and install stricter security controls that impede how users do their jobs? Do they take the time to educate users on why security controls are in place, and clearly explain how users play a vital role in helping the organization achieve dynamic security that supports the business?”

I don’t remember who said it but someone pointed out a very hard-hitting thing about the people problem in security at the DynamicCISO summit. It was about putting an undue burden of remembering multiple passwords, adhering to complex security policies or procedures and doing sundry other things to prevent security breaches on the poor user. As a connected, credit card-wielding (and shielding!) user, I somehow empathize strongly with that comment. And I suspect that a sizable online population would harbor similar sentiments.

The bewildering number of security procedures, the alarming number of online attacks and their ever-rising stakes, and the presence of multiple screens in a user’s life have made it virtually impossible to avoid trouble. If they are asked to do this or that, use this kind of password or that type of key, and comply with a ton of regulation, most of them would soon choose convenience over safety.

So, on the one hand, you have the need to apply multiple layers of security tools and constantly train people; and on the other, there’s the fatigue and unease felt by most users over time. This makes you wonder if there’s some sort of contradiction in terms here. 

On deeper reflection, however, this contradiction gives way to a balancing act. One can perhaps say that the success of a security strategy in today’s increasingly open world would depend on finding the right balance between tools and policies, between people and processes, between training and ease-of-use…in fact, between any two constructs that look diametrically opposite at first but which must be brought together in a continuum of collaborative responsiveness.

[This blog post first appeared on DynamicCISO.com]