San Francisco, CA. – The theme at RSA Conference 2020 focused on “The Human Element,” highlighting the current trend toward focusing on end-user experience, vulnerability, and empowerment throughout the InfoSec industry.
During the conference, Olivier Vallez and I had the privilege of interviewing a significant number of senior executives who are the thought leaders about the topic (You can listen to the unedited interviews at Cyberheroescomics.com).
Kelvin Coleman, executive director of the National Cyber Security Alliance, weighed in. “When I look at this issue, there are three ‘buckets’: Products, Processes, and People.” His organization is focused currently on developing strong strategic partnerships to link the private and public sectors, creating alignment to pre-emptively defend against malicious attacks. “We’re really good at products, and developing good products. We’re great at processes; we do that really, really well. But the Human Element – behavior, people – that piece is the one we really need to work on.”
So, what is the solution to addressing these issues? Coleman continues, “You talk to people about the urgency, and they get it! They understand. It’s that next step that is proving challenging. What do you do? How do you do it? What resources do you need? How do you pay for it?”
What’s more, the upcoming switch to 5G is spurring increased stress. “We’re going to see utilization up, like 5X,” predicts Chris Brazdziunas, chief product officer at ThreatX. “That’s the first thing we’re going to see – more and more different devices, and different ways people can access all these applications.”
Such concerns have led to high levels of anxiety across all sectors of the economy, for businesses big and small, and many solutions providers use fear-based marketing to sell their wares. But is fear the optimal way to address these matters? Not according to Frank Duff, cybersecurity engineer at MITRE, who posits, “How do we make people realize they don’t need to live in fear, but [instead] realize that they’re not secure, and realize that they can do things to continually improve and empower them to make better, more informed decisions?”
One aspect of training that is gaining more attention is incentivizing end-users. “I think we are wired based on incentive structures,” says Michael Coates, co-founder, and CEO at Altitude Networks. “If what you’re asking people to do for security is impeding them from achieving [other work] that they are measured on, and given a bonus for, you will never succeed, because you are blocking the incentive structure that they [are motivated by.]”
Despite the myriad awareness programs and processes available, phishing attacks continue to proliferate across all industry sectors. “When we talk about phishing, we talk a lot about the technical stuff,” says Or Katz, head of research enterprise at Akamai Technologies. “But at the end of the day, someone pressed on a link, or downloaded a file, or did something that they were not supposed to do. So, that’s the human factor, and as much technology as we’ll have [in place], the human factor will remain.” That may sound dire, but Katz assures us, there is light at the end of the tunnel, with improved processes (i.e., incentivized programs for cyber training) for security education. “It’s all a matter of awareness, and making sure people [are empowered to] make the right decision. It’s going to get better if we do the right things.”
So, how do we accomplish such improvements in security and awareness training initiatives to effectuate a shift in the upward trend of phishing and ransomware attacks? When asked about the future of cybersecurity education, Mike Aiello, CEO at AppGate, replied, “It’s all about user friction. At the end of the day, when incentives are such that the end-users are not responsible for security outcomes, their default choice will be the ‘least friction’ solution.”
Amit Bareket, co-founder and CEO at Perimeter 81, agrees that friction, or the minimizing thereof, plays a key part in end-user adoption and adaptation to more secure behavior. “I think that consumers want it to be as easy as possible, and to not interfere with day-to-day life.”
Mainstream media coverage of hacks and data security issues is on the rise, and one thing is for certain: the need for enhanced data privacy education and user awareness is paramount. The publicity of data breaches and unethical practices from companies like Facebook and Google has begun opening a window for non-technical people to peek at, and begin to ask questions. As Tom Kelly, CEO of ID Experts puts it, “People are actually starting to understand [the widespread problems with data privacy] because there have been so many egregious misuses of the data, and I think individuals are getting [to the point of demanding accountability.]”
These considerations beg the question, where does end-user responsibility begin and end, and how much responsibility should providers bear for ensuring security? “It’s unfair to ask a security practitioner to secure really, really bad decisions made by users,” says Cody Cornell, CEO at Swimlane. “But, it’s also inversely unfair to ask the user to have the level of expertise [to identify every] phishing email.”
“I would draw the line between what the user actually has control over, and what the cloud provider or the service provider ultimately has control over,” Oliver Friedrichs, vice president of products at Splunk asserts. “For example, I would expect Verizon or AT&T to secure my cell phone transmissions, but would I expect them to secure my email on Google, which is unrelated to anything they have control over? Not necessarily.”
“I think it’s a shared responsibility, but there is a lot [solutions companies] need to do to help [end-users],” says Russ Mohr, director of sales engineering for MobileIron. “We need to help them along,” he continues, “I might do a second [authentication] factor, and use facial recognition.” Mohr addresses the issue of reducing friction: “Eliminating passwords is key, in that it makes it much easier for the end-user to make the right decision, and it’s more secure and easier to use.” As Darrell Long, vice president of marketing and product management at One Identity says, “At the end of the day, the crux of ‘identity’ is with the human being, even if you’ve got devices that are doing things in an automated way. At some point [no matter what] the human being controls the devices.”
Security solutions providers are constantly innovating, in an attempt to do their part to address the growing issue of data privacy, but gaps and coding errors can lead to unforeseen vulnerabilities. “You can teach [software developers] as much as you want about security, and they will get better,” says Chris Eng, chief research officer at Veracode. “But, ultimately, they’re going to make mistakes. So how do you get ahead of that? How do we constantly reinforce the behaviors that we want out of developers? Part of the answer is integrating security testing throughout the course of the software cycle.”
For many innovators, the focus is (unsurprisingly) on Artificial Intelligence, Machine Learning and implementing those technologies to personally identify user behaviors as another level of security authentication often referred to as heuristics. As Sean Peasley, partner at Deloitte Risk & Financial Advisory puts it, “We will hopefully no longer have to enter all these passwords, [and instead employ] machine learning and A.I. to understand your behavior, and [validate] whether you’re who you say you are.” He concludes, “It’s a little way’s off, but I think we’ll get there at some point.”
Of course, anytime the term A.I. is brought up, the inevitable question arises about whether humans are being replaced by machines. “It doesn’t replace human beings,” says Veracode’s Chris Eng. “[A.I.] helps take a huge corpus of data, get it down to something manageable, and then humans look at it to further classify it. So the technology does a lot of – it saves humans a lot of work – but it doesn’t replace humans, at least not in the way we’re using it.”
People can breathe a sigh of relief, at least for the foreseeable future, that there is not an imminent risk of machines replacing humans. There’s a much more critical issue that must be addressed here, and that is the lack of Diversity & Inclusion in the cybersecurity ecosystem at the moment. “It’s more than just gender. It’s more than just racial components. It’s more than just cultural components,” according to Gregory Touhill, board director at ISACA. “One thing I’ve done throughout my professional career is surrounded myself with great talent, and people who don’t necessarily think the way I do or look the way that I do.”
The importance of having a diverse set of perspectives in the Data Privacy industry cannot be understated. “The best teams are the ones where everybody brings their individual strengths and vision together for a common goal,” Touhill continues. “Our State of Cybersecurity Part One: Global Update on Workforce Efforts and Resources continues to show that, in many areas, we’re not necessarily building the most effective teams because we are not plugging in the [requisite] diversity of different flavors, cultures, genders, et cetera.”
Ultimately, the shortcomings often fall on corporate upper management, including c-suite and the boards of directors. “I think that one of the problems [we are facing] is that not enough Board members really understand cyber deeply enough to be able to effectively challenge management… and that is the role of the Board,” David Burg, principal and cybersecurity leader for Americas at EY. “The Human Element is absolutely critical, just in terms of what people do, and how they use technologies, but I think [equally important] is the quality and the caliber of management and individuals who are responsible for the Security Programs to do their job properly, really understand their responsibilities, understand the risks, and then be able to share that openly and freely with senior management and Boards.”
So, what does the future of end-user engagement look like, with regard to data privacy and protection? “I think that the next level of interaction between companies who protect end-users and the end-users [themselves], is not only detecting threats behind-the-scenes but also educating them on what you’re doing and alerting them to what’s happening, because ultimately the end-users are the front line,” according to John Fokker, head of cyber investigations at McAfee. “[Historically, end-users have] sort of been forgotten, and we were going to protect them behind-the-scenes without them knowing, but now, we are going to show them why and what we’re doing, so they know what to look out for.”
The movement toward focusing on the Human Element requires an industry-wide shift to an increasingly human-centric approach to product development. “You have to pay attention to how people feel, rather than only how they think,” according to Johnnie Konstantas, Sr. Director Security Product Management, Oracle Cloud which is allocating focus and attention to ‘Aesthetic Intelligence’, creating a new level of emotional connectivity between technology and users. “[Aesthetics] matters now, more than ever, because everyone is so connected to these digital devices that we’re lacking Humanity.”
As the demarcation lines between mankind and technology continue to narrow, the integration of the most unique and special characteristics of human nature – emotion, aesthetics, adaptability – into technology will increasingly become commonplace. What a blessing it is to be alive and present to witness such monumental transformations unfold!
Gary Berman, Cybersecurity Reporter
Gary Berman is a contributing reporter for Cyber Defense Magazine. He was the victim of a series of insider hacks for several years until he made the pivot from victim to advocate. He is creator and CEO of The CyberHero Adventures: Defenders of the Digital Universe, a groundbreaking comic series that distills complex cybersecurity information into entertaining and educational superhero stories, making cyber hygiene accessible for non-technical people.
Olivier Vallez, JD, MBA – Lead Writer/Cybersecurity Reporter
Olivier Vallez is a contributing writer for Cyber Defense Magazine, covering various cybersecurity topics and events. He is the Head of Business Development at The CyberHero Adventures: Defenders of the Digital Universe, a groundbreaking comic platform that distills complex cybersecurity information into a fun and engaging superhero stories and makes cyber hygiene easy-to-understand for non-technical people.