By: Evan Morris
January 24, 2022
Why People Are An Essential Part In Crafting The Organization's Security Posture Strategy?
By: Evan Morris
January 24, 2022
Creating a strategy for an organization's cybersecurity posture is often equated to the technical aspects. It is associated with the security hardware, software tools, and related protocols. However, many organizations fail to consider one of the most important factors: people.
As experienced cybersecurity expert and senior SANS Institute instructor Lance Spitzner puts it, humans are the weakest link in the cybersecurity chain. This is partly because organizations tend to focus more on machines and pay little attention to addressing the tendency of people to become unwitting accomplices in breaching cyber defenses.
Discussed below are some of the most compelling reasons why every security posture should regard people as a significant consideration. Including people in the strategy should never be an afterthought, let alone perceived as an unnecessary burden to be taken out in cost-cutting measures.
People have control over various attack surfaces
What are attack surfaces? According to the NIST Computer Security Resource Center, an attack surface is "the set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, or environment." In other words, attack surfaces are anything that attackers can use to achieve their goal of unauthorized access, the introduction of malware, the downing of web resources, data theft or corruption, and other harmful or nefarious ends.
Examples of attack surfaces include workstations, laptop computers, network file servers, networked printers, corporate firewalls, network application servers (NAS), and mobile devices. All of which are well within the control of the people in an organization. No matter how technically secure these attack surfaces are, bad actors can find a way around cyber protections by using the employees or executives who have access and control over these attack surfaces.
Organizations can use attack surface management to reduce and manage attack surfaces effectively. However, even automated attack surface management platforms can also be controlled by certain people in an organization. For example, suppose they do not fully understand the attack surface controls or restrictions. In that case, they might end up unwittingly breaking these controls because of inconvenience or the effective deception of a social engineering attack.
Even security validation systems that are enhanced with the integration of the MITRE ATT&CK framework can be rendered ineffective or virtually useless if the people overseeing the examination of adversarial tactics and techniques deliberately ignore the alerts and recommendations.
Cybercriminals can use employees, supervisors, or top-level management persons as tools to disable security controls or at least significantly weaken them and create vulnerabilities that they can exploit. After all, people are on top of machines and software in an organization, not the other way around.
Absolute control over people with technology is impossible
Security awareness expert and author of the book Cyberheist: The Biggest Financial Threat Facing American Businesses, Stu Sjouwerman, suggests that it is better to collaborate with people in an organization instead of controlling them regarding cybersecurity. "Organizations need to move away from punitive employee monitoring efforts to create a more collaborative approach," Sjouwerman advises, adding that the idea of being dependent on the IT department or an infosec team is "outdated and dangerous."
Suppose employees in an organization are not entirely convinced of the importance of meticulous procedures, protocols, and the constant use of security controls. In that case, likely, they will eventually find ways to get around the security system because they find it inconvenient and pointless. Skilled social engineering perpetrators can easily sway them to do things that betray their respective organizations' interests.
It is a basic instinct for people to question things and seek justification when asked to do or use something. Denying this reality is the first step towards a security posture failure. Why would employees agree to be denied access to certain websites or apps or the option to immediately download email attachments without scanning if they are not acquainted with the implications of these actions?
People still prefer democracy
Despite the rise of autocratic populism in politics worldwide, it is difficult to argue that people would still prefer democracy in the workplace. According to a 2020 Pew Research poll, democratic rights continue to be popular globally, although many acknowledge the flaws, especially in people who run democratic systems.
It is not unusual for employees to refuse to cooperate when not crafting a process or system. This is because they feel like they are not a part of the organization, especially when the security system imposes too many limitations and takes away many things they have been accustomed to doing.
Suppose employees realize that they are being treated like robots who need to operate precisely according to a specific plan of action and be bound by various restrictions while they are at work. In that case, it's only a matter of time before they start finding ways to attack the system that is overarchingly controlling them. This does not bode well for any stringent security system. Establishing a so-called "trustless system" is acceptable, but dictatorial workplace policies are unlikely to prosper.
Forcing people to follow everything the management wants is frowned upon because of the autocracy; it also suggests that they are not that intellectually adequate to have a say on how the organization they are working in works. Also, it is an admission of organizations that did not hire the best ones to work for them.
Employees can offer useful insights on how to optimize security systems. This is particularly true for certain hardware, software, and systems usability. They can provide feedback on how effective a specific security device or software is. Security equipment and software work better when people do not find it difficult to use them.
They may notice or identify issues that the usual security testing routines may have missed. They can also offer excellent insights into improving cybersecurity without making things too difficult for them. With proper awareness, they can even provide more valuable suggestions or even help figure out the threats their organization faces.
People should play a role
A cybersecurity strategy may not collapse without people being considered. However, it is indubitable that security posture management would be considerably better if their perspective would be taken into account.
From the rank and file employees to the managers and top-level executives of an organization, it is advisable to ensure that everyone is consulted and informed about the development of a security strategy that affects everyone. It may also help get their suggestions or recommendations from employees to avoid having disgruntled employees who might be convinced to assist in staging an adversarial attack.