Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

3/1/2019
10:30 AM
Ira Winkler
Ira Winkler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Security Experts, Not Users, Are the Weakest Link

CISOs: Stop abdicating responsibility for problems with users - it's part of your job.

There are countless articles, conference speakers, panelists, and casual conversations among IT and security personnel lamenting that users are the weakest link in security. The claim is that no matter how well you secure your organization, it takes just one user to ruin everything. While there's no doubt that a user can take down these "experts'" networks, the problem lies not with the user, but with the experts.

As I wrote in my previous column, user actions are expected and, most importantly, enabled by security staff. The problem with the expression "the users are the weakest link" is that it abdicates responsibility for stopping problems. Security professionals may believe that they did everything they could, but they're really just giving up.

All a Part of the System
Here is what's critical: Users are a part of the system. They are not accessories. They serve a business function that requires interaction with your organization's computer systems. To determine that a part of the system — users — will always be insecure and there is nothing that you can do about it is a failure on your part.

Consider just about any other discipline within an organization. Accounting has processes in place to deal with the expected human actions involving financial mistakes and malfeasance. You do not hear CFOs declare that they can't keep accurate financial records, because users are the weakest link. COOs don't say their organizations can't run effectively, because they have humans involved in operations. Any CFO or COO who made such a claim would be rightfully fired, because they are responsible for their processes, which have humans as a critical part of those processes and they must figure out how to effectively manage those people.

CISOs who cannot figure out how to effectively manage humans using systems they are responsible for protecting should be disciplined, if not fired, for proclaiming they are failing to deal with a critical aspect of their systems. Just as systems have to be designed to protect from the expected external hacking attacks, they must be designed to protect from expected user actions.

One critical aspect is that security professionals seem to believe that the solution to deal with human mistakes — and remember this doesn't deal with intentional malicious actions — is awareness training. But the reality is that although awareness training can be valuable, it is not perfect. This reliance on an imperfect countermeasure is behind the negligence in proclaiming users the weakest link.

Security professionals must realize that while awareness reduces the risk, their job is not finished. First we must consider that most awareness programs are poor. From experience, observation, and research, most awareness programs are not achieving their desired goals in creating strong security behaviors. Even assuming they could, security professionals would still need to create comprehensive programs that implement the supporting processes and technical countermeasures. This would account for both the inevitable user error as well as the malicious actions.

However, instead of security professionals acknowledging that they have failed to account for expected user failings or malfeasance, they blame the user. That is unacceptable.

While one my previous columns described the need for a human security officer to address the users from a comprehensive perspective, in short, you need to have a process in place that looks at potential user failings regarding:

  • What are critical processes or likely areas where users can create damage?
  • Analyzing and improving the processes to remove user decision-making, or specifying how decisions should be made, if they cannot be removed.
  • Implementing technology that prevents the opportunities for users to cause damage, as well as technology that mitigates damages if proactive measures don't work.
  • Developing awareness programs that focus on informing users how to make decisions and do their jobs according to the established processes.

Just as CFOs and COOs cannot simply state that the user is the weakest link to justify failures in the processes that they oversee, the CISO cannot blame users for failures in security processes. The user is an embedded component of organizational computer systems, and it is negligent not to put in a set of comprehensive countermeasures to prevent, detect, and mitigate the anticipated failings of that component.  

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Ira Winkler is president of Secure Mentem and author of Advanced Persistent Security. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
paul.dittrich
100%
0%
paul.dittrich,
User Rank: Strategist
3/1/2019 | 11:28:44 AM
A badly-flawed analogy
Using CFO or COO as an example of effectively managing people-based security risks is a flawed analogy and very unfair to CISOs / CIOs.

The CFO has a very strong and extensive set of detailed legal and regulatory requirements which codify many years (centuries?) of experience countering bad actors both internal and external.  The solutions are well known and CFOs enjoy a very high success rate of preventing or quickly detecting problems.

The COO has an alphabet soup of groups (again, based on many years of experience) to provide detailed guidance on how to mandate "safe" working conditions and processes.  And the COO is very unlikely to worry about a single human crippling or even destroying the entire company.

The CISO/CIO has much weaker legal / regulatory support to handle a threat landscape which is still rapidly evolving.  And their worst nightmare is a single user who either willfully or accidentally causes a major problem - a breach or an outage.

Nor do the CFO and COO have to worry about a CEO who never ever says "No" to a developer.....
REISEN1955
0%
100%
REISEN1955,
User Rank: Ninja
3/1/2019 | 10:43:08 AM
Different category
This is argumentative if you place a user on the same platform as a security expert.  They are entirely different animals.  Some users, no matter how much education is thrown at them - and we need more of that - listen up Security experts - do NOT get it ever.  They won't.  Why?  A thousand reasons, most ignorant of the tech stuff and some just live that way.  Security experts know more than users of course but have a different realm of responsbility.  WE know not to click on an attached invoice - but put a whitelist or watchlist in front of us and we are on a different planet.  No - we are both either as weak or strong as we choose to be. 
<<   <   Page 2 / 2
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12960
PUBLISHED: 2019-06-25
LiveZilla Server before 8.0.1.1 is vulnerable to SQL Injection in functions.internal.build.inc.php via the parameter p_dt_s_d.
CVE-2019-12961
PUBLISHED: 2019-06-25
LiveZilla Server before 8.0.1.1 is vulnerable to CSV Injection in the Export Function.
CVE-2019-12962
PUBLISHED: 2019-06-25
LiveZilla Server before 8.0.1.1 is vulnerable to XSS in mobile/index.php via the Accept-Language HTTP header.
CVE-2019-12963
PUBLISHED: 2019-06-25
LiveZilla Server before 8.0.1.1 is vulnerable to XSS in the chat.php Create Ticket Action.
CVE-2019-12964
PUBLISHED: 2019-06-25
LiveZilla Server before 8.0.1.1 is vulnerable to XSS in the ticket.php Subject.