At the RSA conference, I attended a panel discussion entitled “Changing User Behavior: The Science of Awareness.” The panel focused on explaining the failure of traditional awareness efforts, and made suggestions about what improved solutions might look like.
During the panel, surrounded by a room full of security professionals, it hit me: we are technologists trying to figure out how to solve a communication problem. Maybe security’s “people problem” is relying on the wrong people to solve this challenge.
Are People The Problem?
Our industry is quick to put the blame on “users” when security problems occur. Whether it is the takeover of CNN and the AP’s twitter feeds, or a hack of Target’s HVAC contractor leading to their breach, people are the scapegoat. Despite many technological solutions and increased spending, we’re not getting any better. Why?
At the root of most current compromises and breaches are phishing attacks. Phishing attacks are getting more sophisticated and more effective all the time. Phishing attacks work because they convince people to bypass the hardware and software controls we’ve put in place to protect them. The only true defense against phishing is security awareness. And we tend as an industry, to do a poor job of security awareness. Even though almost every standard and regulation requires “awareness training”.
Better awareness will result in better security. Of that there is no doubt.
What Is Security Awareness?
When defining security awareness, I prefer to use the definition of awareness coined by Michael Santarcangelo, in his book Into The Breach. He reiterated the definition in this recent blog post on CSO Magazine:
Awareness: The individual realization of the consequences of an action, in their own context of intention and impact.
Security awareness for an organization, therefore, is just an expansion on this term to include security and the organization’s concerns. Security awareness is an individual’s realization of the security consequences of an action, and the corresponding impact on the organization.
When it comes to information security, the impacts to the organization from one security incident could fill a whole catalog. The loss of intellectual property is a pretty simple one to understand, your “secret sauce” is no longer a secret. The impact felt by breaching customer or employee private information is much more complicated. It reverberates through increased IT costs, increased legal costs, payment of fines and fees. It also creates an impact to the reputation, causing reduction in the value of the brand as a whole.
Security awareness is critical to the security of an organization. And thus, falls under the purview of the individuals in charge of security.
And that, I think, is where we’re going wrong.
Effective Communication is the Key
Awareness, especially security awareness, is essentially a communication problem. In order for me to be aware of something, it needs to be communicated to me. I am only working from the knowledgebase already stored within my brain. I don’t have my cybernetic implant (yet) that performs real-time queries to supplement my knowledge with the corpus provided by the Internet.
If I’m going to be aware of something, either I need to read it, or someone needs to tell me or show me. Those that know need to communicate it to those that don’t.
To be effective, this communication must result in two things:
- I am aware of the consequences of my actions
- My behaviors change as a result of my awareness
People Are the Solution – Just Not These People
Now, let’s get back to what I said above. Since security awareness is so critical to the security of an organization, it is often placed within the responsibility of those responsible for security.
Are security experts also experts at person-to-person communication? I don’t think so.
Sure, there are certainly outliers who are talented in both security and communication. I’m lucky enough to be friends with some of the true experts on this topic. I also know there are a bunch of people like me, who are knowledgeable about security and are decent communicators. I’m no expert, but can usually get my point across.
Communication experts know exactly how to craft a message to create value, reduce the friction in the communication, and change behavior. They are hard to come by, and well sought after.
Your typical CISO, or head of network security, probably is not an expert communicator. While they might be able to learn enough to become one, is that what you want? I think I’d rather my CISO be an expert with communicating with the business and setting strategic directions for the security organization. I’d want my head of network security to understand every bit of how to architect networks to defend against emerging threats.
It’s time to change the way we handle security awareness. The first step is to stop making it the responsibility of the security teams.
Let’s cultivate true communications experts to focus on security awareness. It is the only way we will get out of the current checkbox-checking mentality that “security awareness training” has become.