Enterprise cybersecurity technology research that connects the dots.

People Still Matter in Cybersecurity Management

Cybersecurity's constant stream of shiny new things shouldn't distract managers from their focus on the people they're protecting.

3 Min Read
People dressed casually gather around a table covered with papers. They're talking about the content of the documents.
Source: StockSnap via Pixabay

In the run-up to the 1992 US presidential election, Bill Clinton's campaign famously had a large sign reading "It's the economy, stupid" in their headquarters. It was a constant reminder of its most important message. As we head into the fourth quarter of 2023, I think a lot of CISOs would benefit from a similar sign reading "It's the people, stupid" posted in their conference room.

The articles wrapping up 2023 and looking forward to 2024 are yet to come (including some from me), but it's safe to say that 2023 has been a year of great distractions as war, new malware campaigns, industry mergers, and generative AI have each demanded their share of executive attention. It's important, though, that these developments do not distract executives from the human beings that attack, use, and defend their enterprise infrastructure.

Multiplying Effort

It is heartening to hear executives discuss the importance of generative AI in amplifying the efforts of the technical security staff. In some other parts of the business world, the talk is all about replacing staff with AI, but the idea of a skills shortage in cybersecurity seems baked into the conversation, now, and a more realistic view of AI is a result.

The same multiplication isn't in effect for the broad population of users as that seen by the cybersecurity staff, but there's still a danger that a series of distractions will lead executives to wrong conclusions about the role employees play in cybersecurity. As they look at threats and attacks, both internal and external, executives often fall prey to the common fallacy that employees are their first line of defense. That's true only if their cybersecurity is very poorly designed and implemented.

In truth, employees are the last line of cybersecurity defense. For a malicious payload, criminal URL, or fraudulent message to reach the employee it must first have passed through multiple layers of screens, filters, and defenses. But because employees are the last line of defense, it's critically important that they be trained to recognize and properly respond to the threats that do make their way to enterprise screens. Training, practice, and retraining are all important tools to make sure that this last line of defense is prepared to protect the enterprise as completely as possible.

Criminals Are People, Too

Focusing on malware payloads, system vulnerabilities, and malicious campaigns is natural, and not all bad, but in doing so executives can forget an important fact: All of these are launched, or taken advantage of, by human beings. Those human beings have goals, make mistakes, and can be understood just as other human beings are. And in working to understand humans, it can become easier to defeat their technology and tactics. This should be additional information — I'm not suggesting ignoring the tactics and technology — but it cannot be safely ignored.

Keeping people at the forefront of cybersecurity planning makes it possible to practice the kind of Proactive Security that remediates issues before they're successfully exploited. And it provides critical context for building successful cybersecurity strategies that survive changes in the technologies and tactics employed by those criminal human attackers waiting to pounce on the enterprise.

About the Author(s)

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and ITWorld.com on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights