I remember the exact moment when I changed how I design a security strategy to conform to the new reality of the modern threat landscape. It was my first day on the job as Chief Information Officer in the George W. Bush White House in 2006. Our office knew we had to appeal to the hearts and minds of the White House staff if we wanted to protect their privacy and security; if solving cybersecurity and privacy issues were as simple as following security best practices, we would all be safe.
Two key questions came to me during my first 90 days at the White House. I had to answer them or we would have had a major calamity: Why, in spite of talented security teams and security investments, do breaches still happen? Why is it that despite hours and hours of boring computer-based training and security campaigns, we still make mistakes and click on links?
Apply these same questions to industry means taking incremental steps and viewing the problem of user education not as a technical or economic issue but as a human psyche issue. To make evolutionary change in cybersecurity we need to teach cybersecurity professionals to take human behaviors into account when developing cybersecurity strategies, then to incorporate that knowledge into the design and implementation of information systems, including the right incentives for positive behaviors.
The way we design security today, we have zero empathy. What that means is that we need to design all applications to assume that users will do everything wrong. According to the cybersecurity playbook, people will share passwords, people will forget them, and they will do unsafe things to get their jobs done, such as use free, unsecure WiFi. Haven’t you?
Today, the banking industry is leading the way with this kind of human-centered design and asking systems to conform to the human -- and not the other way around. For starters, many banks will use your social security number to check your credit, but not as your customer identifier. If a hacker breaks in and steals your data, on many of the back-office banking systems, they will not steal your social security number. The banks have implemented online banking programs that assume that your device is infected, and have put into place free software that will help protect your computer while at the same time assist in providing a more secure transaction.
Many of the banks led the way with authentication strategies. This became another added step on top of your user ID and password to provide you with better confidence. They may look at your computer's unique device ID. Or they may allow you to set up random security questions and answers. In some cases, they will text a code to your mobile phone. All of these are simple to use while adding another deterrent to cybercriminals.
We used a similar strategy at the White House. We knew breaches and incidents were inevitable, but we thought our best strategy was to segment data to save it. Instead of storing something -- such as the President's schedule -- in one place, we would segment the ownership across multiple teams, multiple systems, and disconnected networks. This practice requires a high level collaboration and finely tuned synchronization but the risk vs. reward is worth it.
We also realized that the staff at the White House was busy and if we expected them to be security experts they could not focus on their job and we would fail at ours. That is why we focused on designing for the human. We assumed that long briefings and boring computer-based training programs were ineffective, and redesigned them to focus on key points to get better results. One example was to shorten our smartphone briefing to two key points: report your missing smartphone immediately so we could locate it, and tell us if you are going on foreign travel for fun or for White House business so we could provide safe and effective communications overseas. We provided that briefing accompanied with a fun package that had the smartphone, accessories, and White House branded items to make the session memorable and fun.
At the end of the day, if we keep the same security mindset, keep implementing the same security protocols, and institute them with more money at a faster rate, we are doomed to failure. It’s time to break the rules and try a different approach.