Where Human Factors Can Eclipse Technology: Complexity, Privacy and Human Error

For all the escalating and intensifying digital challenges that cybersecurity professionals must constantly mitigate and navigate, perhaps the biggest security vulnerability of all is decidedly analog: Our own human fallibility.

“People get tired,” says Digital Big Bang author Phil Quade. “They make mistakes. They are poorly trained. People will continue to undermine the security of our systems, so we must actively and intelligently use machines to compensate for human limitations.”

It is a delicate balance between needs that often seem at odds with each other, and the negative and positive consequences of digital innovations.

“A defining attribute of our species is our unresolvable contradictions,” Quade notes. “We are intensely social, drawing together to form highly interconnected societies and systems. We also can be shockingly antagonistic and prone to conflict. Our finest minds have worked tirelessly for the benefits of humanity, but some of their work has been harnessed for greed and exploitation. This is certainly true of the digital universe.”

The key to resolving these conflicts is to avoid dichotomies and false choices, such as between security and privacy. “Until we embrace the fact that it’s not security or privacy but both, sustainable higher order cybersecurity will not thrive,” Quade says.

Balancing these conflicts efficiently often starts with shifting the perspective.

“Many organizations have focused on finding purely technical solutions,” says Michael Daniel of Cyber Threat Alliance. “They hope for a single technological tool that would solve the challenge and make the problem go away. But one tool is simply not going to do the job. It requires integrating approaches from a number of different disciplines in order to get at the problem, and moving out of the mindset that because this problem is being generated by the IT environment, the solution has to therefore come from IT. In other words, as a CIO or a CISO, you’re no longer just managing IT and security; you’re managing complexity.”

Managing this complexity takes on even greater significance when privacy issues arise, though. And when organizations fail to strike the proper balance, they risk creating a level of complexity that creates far more challenges—including shadow IT created by users finding workarounds to features they find invasive.

At the same time, intensifying regulations such as GDPR have implemented costly penalties for privacy violations.

“In the GDPR era, organizations must know what information they gather and why,” advises Kevin Miller of MGM Resorts International. “Information that was previously considered so benign as to be included on a business card is now covered data—a name, postal address, email, telephone number, and a photograph on an employee badge. To many modern digital businesses, data is considered the company’s most valuable asset. But now, data may also be considered a liability and even a risk. If you collect it, you must protect it.”

That scenario of internal workarounds and external regulations creates high stakes for many organizations. The solution may be addressing the human error directly.

“You can always apply technology solutions to a problem, but it only takes the least capable person in the room to ruin them for you, so you must also take a human approach,” says Kevin Kealy, formerly of Ingram Micro. “In my experience, education is one of the most cost-effective ways to secure your organization. I believe that people will generally do the right thing if appropriately educated. But even then, you still have to deal with human frailty.”

The solution? “Design for the human,” says Theresa Payton of Fortalice. “Use behavioral analytics and existing data to provide better security while making access to the resources they need to do their job as easy and seamless as possible.”

For more information on these advanced strategies for cybersecurity, and perspectives from more industry experts, check out “The Digital Big Bang: The Hard Stuff, the Soft Stuff, and the Future of Cybersecurity” by Phil Quade.

Sourced from Fortinet

Field CISO Q&A: Jonathan Nguyen

We regularly provide Q&A pieces with Fortinet executives to share their key insights and leadership perspectives. The following is from an interview with Jonathan Nguyen-Duy, Vice President, Global Field CISO Team at Fortinet, that touches on common challenges that C-level executives face, the future of cybersecurity, and experienced advice for CISOs.

You talk to a lot of C-level executives. What are a few common themes that come up as concerns — across industries, enterprise size, etc.? What are some common pain points? 

Continually increasing complexity of threats, shortage of staff, and lack of visbility are challenges that I see across all industries and public sector agencies of all sizes. I’ve not met a CISO that could confidently say that their team had 100% visibility across the network – let alone the state of those connected devices. Lack of visibility into network connections and anomalous behavior is critical – after all, you can’t protect what you can’t detect.

Compounding these challenges is the need to deliver innovation and services faster and a public that expects great levels of security and privacy. Everything is more complex and accelerating – computing, networking, security, compliance, along with all elements of the digital enterprise. 

Are there any disconnects between CISOs and other business leaders within their organization that may be surprising to the security organization?

One surprising disconnect between CISOs and the business leadership is the lack of adoption of the reasonable care standard for security and resiliency. Widely cited in best practices and regulatory frameworks, the reasonable care standard requires organizations to implement technologies and processes to identify and manage risk. While every CISO I’ve met agreed it was the right approach, few have said their boards had adopted reasonable care as their measure of security.  

What does the future of security look like? 

Security will be more integrated with networking and computing – all of which will be more distributed and accelerated with 5G and the mass implementation of smart solutions. The third generation of security will see it being designed into solutions from the outset rather than a bolted-on afterthought.

New 5G-enabled, edge-based computing from industrial applications to smart cities will generate more data than ever before – shifting the majority of computing to the edge, with the cloud progressively being used for correlation and storage.

Security will also be more automated, leveraging AI and ML to analyze vast volumes of data for anomalous behavior in everything from autonomous cars and industrial processes to privileged access users.

How does a security fabric approach protect customers in the future of security?

Having run one of the largest MSSPs in the industry and led one of the foremost threat research teams, I would say that just about every breach in the last 20 years was a result of gaps in visbility, awareness, and control. If you can’t see what’s on your network – you can’t protect it. If you can see what’s connected but have no contextual awareness about what’s happening – you can’t protect it. And if you can detect and understand what’s happening but don’t have an integrated and automated way to respond – you still can’t protect it.

The Fortinet Security Fabric’s broad, integrated, and automated approach provides the visibility and control that’s needed as security becomes even more challenging. With end-to-end visibility and a framework of integrated devices collecting and sharing data to detect threats, combined with FortiGuard AI-enabled intelligence, the fabric automates the detection and mitigation of threats at speed and scale.

How does that intertwine with dynamic cloud security zero-trust network access?

Amongst the recommendations made in light of increasingly aggressive cyber threats, there has been a specific call for the adoption of Zero Trust across the US Government. Zero Trust posits that traffic inside the perimeter should be trusted no more than outside traffic.

A lot has changed since the original inception of Zero Trust in 2009, including the disappearance of perimeters. Going forward, trust assessment needs to move beyond a simple binary yes-no model to be more adaptive and risk-based by:

  • Identifying every request for network access
  • Authenticating the requestor
  • Confirming the state of the device on which the request is made
  • Validating the access request based on a least privileged, need-to-know basis
  • Continuously logging and monitoring all activity for anomalous behavior

The Fortinet Fabric and its partner ecosystem provides enterprises with a broad, integrated and automated way to control access and continuously monitor behavior from the IoT edge, across enterprise networks, and across the largest cloud providers.

Is there specific advice that you find yourself sharing most often in your discussions with other CISOs and CSOs?

Across all the threat research of the past 20 years, and conversations with security professionals from global enterprises and the intelligence community, it’s clear that we’re still not getting the fundamentals right. The vast majority of breaches are not caused by sophisticated attacks or advanced tactics, techniques, and procedures. Rather, threat actors at all levels of sophistication exploit known vulnerabilities for which patches are available. In some cases, these patches have been available for over a year. Indeed, most attacks leading to data breaches could have been mitigated via simple to intermediate controls.

Because so many attacks begin via phishing and exploit known vulnerabilities, getting the basics of security hygiene and resiliency done pays huge dividends.

In my experience, the following steps can help organizations:

  • Adopt and implement the Center for Internet Security Critical Security Controls
  • Implement continuous security awareness campaigns
  • NGFWs are a great compensating control because patching is not easy
  • A rigorous and autonomous approach to web application vulnerability management
  • Employ multi-factor authentication (especially for critical systems/processes)
  • Back-up data based on criticality and SLA associated the process

Learn more about the challenges CISOs face in the modern era.

Find out how Fortinet’s Security Fabric delivers broad, integrated, and automated protection across an organization’s entire digital attack surface from IoT to the edge, network core and to multi-clouds. 

Sourced from Fortinet