Dave Lewis on the much maligned ‘human element’ of security
COMMENT I find myself sitting and staring at the TV screen and randomly blinking in an effort to keep my eyeballs from becoming parched.
I have this inescapable feeling of fast becoming an extra on the set of a 12 Monkeys reboot. I’m being only slightly tongue in cheek, if I’m honest.
So the theme of the RSA Conference this year was the ‘Human Element’. I’m certain that the organizers never imagined that this would inadvertently capture the zeitgeist with regards to the unfolding COVID-19 crisis that has gripped the globe.
There was no shortage of hand sanitizer stations throughout the conference. At one point I started to wonder about the toxicity levels of the stuff after I washed my hands for what might have been the hundredth time that day.
With all of the interaction between people at the conference, there was no shortage of hugs, handshaking, fist bumps, and elbow taps. This was well before COVID-19 really took off as a going concern in the wider public eye.
Getting the message across
Back to how we combat digital infections, the human element is a curious one. As security practitioners we tend to vilify end users as the source of everything that is wrong with security.
But the real problem here is that we collectively need to fall on our own sword for not doing a better job at getting the message across to a non-technical audience. How can we expect people to get better at security if we constantly berate them for their missteps?
“What were we thinking?” – the question hung in the air over the throngs of people in RSA’s keynote, delivered by Wendy Nather, head of advisory CISOs at Duo Security (full disclosure: Wendy is my day-job boss).
The question was very pointed. The pregnant pause that followed had the human element shifting in their seats for a moment.
She then delivered her frank take on the conversation about how security professionals have failed to change how the wider audience executes on security. “We are trying to secure an unsustainable security model,” she said.
Duo Security’s Wendy Nather delivered the RSA 2020 keynote
There should instead be a shift to an approach focused on collaboration and democratizing security to make security controls open and approachable to everyone, she indicated.
Case in point: have you ever used a tool written by an engineer for an engineer? Now, imagine your grandparents having to use the same tool to secure their email, and so forth. Yeah, exactly.
We have imbued security culture with some level of mysticism and pixie dust in a backward attempt to elevate our status – leaving the people we’re supposed to protect out in the cold.
“I know it makes people nervous, especially security people, to think about the idea of giving away control. But done right, collaboration will allow business and security to be agile,” Nather argued.
The message was clear: security really does need to be something that non-infosec people want to do.
We need to spend more time developing products that will demystify the discipline and persuade the human element that security is something they can do themselves, so that we can reduce the risk for all.
In short, we need to democratize security.