Preview Mode Links will not work in preview mode

Defense in Depth

  1. All Episodes
  2. Calling Users Stupid

Calling Users Stupid

Sep 17, 2020

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-calling-users-stupid/)

Many cybersecurity professionals use derogatory terms towards their users, like calling them "dumb" because they fell for a phish or some type of online scam. It can be detrimental, even behind their back, and it doesn't foster a stronger security culture.

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest Dustin Wilcox, CISO, Anthem.

Thanks to our sponsor, Hunters.

Hunters

Attackers always find new ways to bypass organizational defenses. While their traces hide in the data, they’re also extremely difficult to detect. Hunters.AI is a context-fueled XDR solution that harnesses top-tier threat hunting expertise and ML to autonomously detect, investigate and correlate attack findings across cloud, network, and endpoint.

On this episode of Defense in Depth, you’ll learn:

  • Security people have notoriously had a "better than them" attitude towards their users who they view as the ones causing all the problems and making their lives more difficult.
  • Calling users stupid for making a "mistake of effort" even if it's behind their back does not foster a bond with the security team. It fosters the us vs. them attitude.
  • Security professionals will have a lot more success if they understand why users do the things they do. Once there is that understanding, then cybersecurity will better be able to design systems that accommodate users.
  • About a third of your users confidently believe they're following the right cybersecurity procedures. That discrepancy is not the fault of the users, it's the fault of cybersecurity's education of users.
  • Security can always be more effective in offering up the right tools and the correct education.
  • Security awareness must begin with good service and process design.
  • Phishing tests are pointless to determine security effectiveness. That's because no matter how low your click rates go, someone can always create a more creative test that will send them soaring back up again.
  • If your defense in depth strategy is so poorly designed that your company can be compromised by the simple click of a phish, then you've got a poorly configured security stack.
  • Security professionals' jobs exist because of their users. If there was no organization and users, then there would be no need for security professionals.
  • Quoting Albert Einstein: "If you judge a fish by his ability to climb a tree, he will live his whole life thinking he is stupid.”
  • Look at user mistakes as an education moment, not an opportunity to put them down. If you educate them, they'll go onto educate others as well. Mistakes can actually be very beneficial.