Navigating A People-Centric Approach to Security

With remote work becoming a long-term part of a hybrid workforce strategy, organizations around the world are at a greater risk of cyber threats than ever before -- and cybercriminals are taking advantage of the situation. In June, Global CISOs who lead large, multinational organizations joined a community discussion examining the biggest challenges security leaders face. They focused on why a people-centric approach to security is everyone’s biggest opportunity to better protect their organizations.

Moderator Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, kicked off the discussion noting how remote work and the move to the cloud have changed the nature of threats. He shared findings about breach activity, including: 

• 85% of breaches involved a human element

• 61% of breaches involved credentials

• 13% of non-DOS incidents involved Ransomware

Kalember also noted the two things that are affecting every organization: ransomware is needed because 90% of successful attacks occur via email and business email compromise (BEC) because they cause larger losses than all other threats combined. 

He framed up the breakout discussions about how to implement people-centric security as protecting internal people from the threats against them. He noted that the cloud is becoming more of a people-centric risk, along with email, if you consider credentials a people-centric issue. He also said that companies are also trying to protect the information that people create and access. 

Then, Kalember, along with the Global CISOs serving as discussion leaders, led smaller groups in engaging conversations about people-centric security efforts. The large group got back together at the end to share their ideas and takeaways, including: 

• We should double down on some of the cultural aspects of new hires (not just hires in security) and help them become acclimated to the security culture of the organization.
• We should think through what the technical structure looks like -- the active directory side of things. Do we limit the ability of the attacker to get to things if they get in? 
• One group noted that a one-size-fits-all training in which everyone learns the same thing is no longer sufficient and that knowing a particular group’s threats — and targeting those — is better.
   

The people-centric approach to security garnered many specific training ideas, including the following:

• Hosting hack-a-thons to see the ideas that result for security.
• Providing targeted training by function.
• Branding ourselves the “yes” organization, not the “no” organization, and helping people get to know the names and faces of the security team.
• Possibly using change management practices to get the entire organization onboard.
• Implementing zero tolerance policies for violations.
• Creating a defender learning journey to provide security learning for people outside of security.
   

The groups also discussed third party risk management and how to define security training by roles and provide metrics on its effectiveness.

Andy Kirkland summed up his group’s thinking on operational technology risk by saying, “Our best effort is to make a dent.” Tim McKnight said that his group “could have talked about ransomware the entire time.” And Nicole Ford said that her group discussed “ransomware, DDOS, and social engineering as the biggest threats.”

The security leaders agreed that they are in the process of adapting to a world in which people are behind cable modems going to the cloud, but the core security principles have not changed. While in the good, old days, as one mentioned, security controls could be embedded in infrastructure -- now, security leaders have to keep up on a variety of fronts.

by CISOs, for CISOs

Join the conversation with peers in your local CISO community.