People Still Matter in Cybersecurity Management

In the run-up to the 1992 US presidential election, Bill Clinton's campaign famously had a large sign reading "It's the economy, stupid" in their headquarters. It was a constant reminder of its most important message. As we head into the fourth quarter of 2023, I think a lot of CISOs would benefit from a similar sign reading "It's the people, stupid" posted in their conference room.

The articles wrapping up 2023 and looking forward to 2024 are yet to come (including some from me), but it's safe to say that 2023 has been a year of great distractions as war, new malware campaigns, industry mergers, and generative AI have each demanded their share of executive attention. It's important, though, that these developments do not distract executives from the human beings that attack, use, and defend their enterprise infrastructure.

Multiplying Effort

It is heartening to hear executives discuss the importance of generative AI in amplifying the efforts of the technical security staff. In some other parts of the business world, the talk is all about replacing staff with AI, but the idea of a skills shortage in cybersecurity seems baked into the conversation, now, and a more realistic view of AI is a result.

The same multiplication isn't in effect for the broad population of users as that seen by the cybersecurity staff, but there's still a danger that a series of distractions will lead executives to wrong conclusions about the role employees play in cybersecurity. As they look at threats and attacks, both internal and external, executives often fall prey to the common fallacy that employees are their first line of defense. That's true only if their cybersecurity is very poorly designed and implemented.

In truth, employees are the last line of cybersecurity defense. For a malicious payload, criminal URL, or fraudulent message to reach the employee it must first have passed through multiple layers of screens, filters, and defenses. But because employees are the last line of defense, it's critically important that they be trained to recognize and properly respond to the threats that do make their way to enterprise screens. Training, practice, and retraining are all important tools to make sure that this last line of defense is prepared to protect the enterprise as completely as possible.

Criminals Are People, Too

Focusing on malware payloads, system vulnerabilities, and malicious campaigns is natural, and not all bad, but in doing so executives can forget an important fact: All of these are launched, or taken advantage of, by human beings. Those human beings have goals, make mistakes, and can be understood just as other human beings are. And in working to understand humans, it can become easier to defeat their technology and tactics. This should be additional information — I'm not suggesting ignoring the tactics and technology — but it cannot be safely ignored.

Keeping people at the forefront of cybersecurity planning makes it possible to practice the kind of Proactive Security that remediates issues before they're successfully exploited. And it provides critical context for building successful cybersecurity strategies that survive changes in the technologies and tactics employed by those criminal human attackers waiting to pounce on the enterprise.