Sep 17, 2020
All links and images for this episode can be found on CISO
Series (https://cisoseries.com/defense-in-depth-calling-users-stupid/)
Many cybersecurity professionals use derogatory terms towards
their users, like calling them "dumb" because they fell for a phish
or some type of online scam. It can be detrimental, even behind
their back, and it doesn't foster a stronger security culture.
Check out this
post for the basis for our conversation on this week’s
episode which features me, David
Spark (@dspark),
producer of CISO Series, co-host Allan
Alford (@allanalfordintx), and our
guest Dustin
Wilcox, CISO, Anthem.
Thanks to our sponsor, Hunters.
Attackers always find new ways to bypass organizational
defenses. While their traces hide in the data, they’re also
extremely difficult to detect. Hunters.AI is a
context-fueled XDR solution that harnesses top-tier threat hunting
expertise and ML to autonomously detect, investigate and correlate
attack findings across cloud, network, and endpoint.
On this episode of Defense in Depth, you’ll
learn:
- Security people have notoriously had a "better than them"
attitude towards their users who they view as the ones causing all
the problems and making their lives more difficult.
- Calling users stupid for making a "mistake of effort" even if
it's behind their back does not foster a bond with the security
team. It fosters the us vs. them attitude.
- Security professionals will have a lot more success if they
understand why users do the things they do. Once there is that
understanding, then cybersecurity will better be able to design
systems that accommodate users.
- About a third of your users confidently believe they're
following the right cybersecurity procedures. That discrepancy is
not the fault of the users, it's the fault of cybersecurity's
education of users.
- Security can always be more effective in offering up the right
tools and the correct education.
- Security awareness must begin with good service and process
design.
- Phishing tests are pointless to determine security
effectiveness. That's because no matter how low your click rates
go, someone can always create a more creative test that will send
them soaring back up again.
- If your defense in depth strategy is so poorly designed that
your company can be compromised by the simple click of a phish,
then you've got a poorly configured security stack.
- Security professionals' jobs exist because of their users. If
there was no organization and users, then there would be no need
for security professionals.
- Quoting Albert Einstein: "If you judge a fish by his ability to
climb a tree, he will live his whole life thinking he is
stupid.”
- Look at user mistakes as an education moment, not an
opportunity to put them down. If you educate them, they'll go onto
educate others as well. Mistakes can actually be very
beneficial.