Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

12/5/2018
10:30 AM
Ira Winkler
Ira Winkler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Case for a Human Security Officer

Wanted: a security exec responsible for identifying and mitigating the attack vectors and vulnerabilities specifically targeting and involving people.

It is clear that end users are a major, if not the primary, attack vector for most significant attacks. Whether using phishing, traditional social engineering, or physical compromise, sophisticated attackers know that it is easier for them to find a successful entry point into an organization by targeting users instead of by probing for technology weaknesses. As important, well-meaning users cause more damage in aggregate than malicious parties ever could. In response, there is a focus on trying to make users more resilient through awareness.

The reality is that this works to an extent, but more is required.

Technology is in place to stop user actions in advance, as it should be. In the safety field, it is believed that around 90% of workplace accidents are avoided by creating an environment that prevents employees from being exposed to situations where they can be injured. For example, in one factory where employees were frequently struck by forklifts, they painted a line down aisles, creating distinct walkways. This one change alone reduced almost all accidents involving forklifts. The remainder of the incidents were the result of walkers who were looking at their cellphones and drifted into the forklift because they weren't paying attention.

In the cybersecurity world, one equivalent of creating a secure environment is anti-malware software, spam filters, and PC protections that prevent users from installing software. Creating a secure environment filters out more than 99.9% of potential attacks before they can reach the user, or stops the user from causing damage. But clearly, attacks still make it through, which means awareness is still necessary to reduce the risk.

The truth is that awareness programs should focus on how users should do their jobs properly and not on what they should be afraid of. This requires a definition of proper governance. You cannot expect users to detect every possible trick, but they should at least be able to follow proper procedures in how to act appropriately.

Focus on the User
While in general most companies have some form of software to defend against attacks reaching users, some form of awareness, and something that resembles policies and procedures, these efforts are uncoordinated and haphazard. There is no focused effort to stop specific attacks or user actions.

To address this concern, what is required is a position that I call the human security officer (HSO), who is responsible for specifically identifying the different attack vectors and vulnerabilities involving people. The HSO examines where problems may arise and identifies the optimal ways to prevent, detect, and respond to the attacks or user actions.

Some people may contend that this is the job of the CISO or perhaps an awareness manager. The reality is that awareness people have a very specific role and focus on providing information to people in an attempt to get them to improve their security-related behaviors. The awareness team does not have the responsibility -- and especially not the authority -- to account for all aspects of preventing and mitigating vulnerabilities. The awareness team should report to the HSO.

The HSO would be responsible for determining where human-related vulnerabilities exist and focus on a coordinated method for mitigating the vulnerabilities. This would involve an examination of underlying business processes and the determination of the best combination of technology operational processes that most effectively mitigate vulnerabilities. The HSO would then ensure that the awareness team focuses on ensuring that the awareness program primarily addresses how people should perform their jobs correctly.

While it would be good for a CISO to take on the role of an HSO, in any company of reasonable size, the CISO has a team of people to whom she can delegate responsibilities. Much like there are individuals reporting to the CISO responsible for network security, incident response, and governance, there should be an HSO specifically responsible for all aspects dealing with human-related vulnerabilities. The role should be treated distinctly and go well beyond the traditional awareness roles.

Related Content:

Ira Winkler is president of Secure Mentem and author of Advanced Persistent Security. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
UdyRegan
50%
50%
UdyRegan,
User Rank: Apprentice
12/18/2018 | 2:20:35 AM
Humans over Robots.
I would personally always prefer somebody human attending to my needs. But of course, the way that the world is progressing these days, it seems like automation is the only way to go to keep costs down. We'll have to see. I don't think that they'll really be that much more effective given a human has to program the bots and automated systems to begin with...
NathanDavidson
50%
50%
NathanDavidson,
User Rank: Moderator
12/11/2018 | 10:32:59 PM
Personal experience
I have heard a story from a family friend that there was a candidate applying for a similar role who was perfect for that position and was hired on the spot. It was because of the personal experience that he shared with the company which moved the hiring department to act right there and then so as not to lose him. He told them that he just got out of prison for hacking a company that happened to be the competitor of this hiring company. That's how it works I guess when it comes to the security sector. If you had done it before, it goes to show that you have some great skillsets.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
CVE-2020-15821
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2020-15823
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2020-15824
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
CVE-2020-15825
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.