Some Personal Risks to Individual Cybersecurity Practitioners Are Elevated Because Of The Work They Do. Is It Time for Workplace Cyber Protections to Follow Them Home?
By Chris Needs, VP of Product Management, HYAS Infosec Inc.
RSAC 2023 once again underscores the sheer number and variety of enterprise security technologies, as if every possible niche of cybersecurity has been addressed. But there’s a growing sentiment that something is missing, something important.
Cybersecurity professionals epitomize RSA’s Stronger Together conference theme of 2023 by simply doing what they always do. Perhaps it’s working with law enforcement on a significant take-down. Perhaps you worked with your ISAC to remediate suspected APT activity, just as they were about to achieve some actions on objectives. Oh, and that new social media post you just published on a cybersecurity topic? You’re making us stronger together by sharing that information.
The problem with every one of these positive contributions is they increased likelihood that a cybersecurity professional will attract the ire of attackers, their network of friends, or their government. Meanwhile, they clock out (theoretically), go home, maybe has a family, and wants to go “shields down” for a while.
Attackers can act on grudges and start looking at you personally. Your home network, your personal devices, and even your family may all be viable attack vectors, whether to settle the score or to leap-frog back into your corporate network. In addition to commonplace adversary objectives – data exfil, malicious encryption, extortion, data destruction – there are other motivations. Bragging rights gained from compromising a security leader, the desire to understand what security researchers know about an adversary, and the satisfaction of poking a cybersecurity team or company in the eye are all motivations that may make your personal life part of the extended attack surface of your organization.
The fact is, our cybersecurity protectors are more highly targeted at the office and out of the office because of what they do at work, and we need to do more to protect our protectors. This is the product area that is weak. This is what is missing from the sea of vendors at RSAC and all of the (honestly) amazing technology that they bring to market.
Often the realm of “home” is for consumers and consumer products. We rely on our ISPs, email services, or social media companies to protect us like regular consumers. We have seen advancements in anti-phishing technology in our email. Our credit card companies offer dark/deep web services. And of course, that cybersecurity awareness training provided at work is transferable to home. I share the PowerPoint decks with my family, as well as the occasional story about successful friendly phishing against colleagues. But we in cybersecurity are more highly targeted and therefore have the need for additional protections. We also have the skills, knowledge, and interest to use more advanced tools at home.
We need to adapt the tools designed for protectors of the enterprise who go home and have a family to protect. Think about taking an enterprise-grade Protective DNS solution that actively blocks malicious domains, adapting it to the personal needs of an individual or family, and rolling it out to the practitioner at home. Your ISP may be offering some level of protection, but to what extent? There is an implicit trust that they’ve got your back, but you have no visibility on what they’re doing for you.
Extra protections would be welcomed by most in our field. But it’s not just about protection, it’s about providing the tools that cyber pros can use to customize the solution to fit their concept of risk at home, just like what they would do at work. Give them the controls, the dashboards, and the alerting to protect effectively. Provide insight on web traffic, blocked domains, and threats just like they’re used to at work but to leverage at home.
What new opportunities await both vendors and end users alike by reimagining enterprise security tools for the protectors at home? What additional security would be afforded the company that recognized its own security teams need more when they are away from the office? Companies adopting the concept of “duty of care” for its security practitioners may benefit from the acknowledgement that the enterprise has a duty to ensure it reduces risk that it creates for the employee.
Let’s embrace the RSA theme of Stronger Together by strengthening defenses for the protector at home. We need free or low-cost versions of enterprise tools, and affordable delivery models for the individual that employers can purchase on behalf of their protectors. This is a potential triple-win: better protecting the enterprise by better protecting the employee with tools built by vendors that expand their own business.
Now that sounds like Stronger and Better Together.
About the Author
Chris Needs is VP of Product Management with HYAS, leaders in utilizing advanced adversary infrastructure intelligence, detection, and prevention to preemptively neutralize cyberattacks. He drives all aspects of the product management lifecycle including go-to-market strategy, prioritization and roadmaps, and Agile development methodologies. He has previously served as VP of Product Management and UX at Anomali, and as Director at NC4. He holds a PhD from UCLA, an MBA from the Boston University Technology Executives Program, and other professional certifications and degrees. Chris can be reached online at @HYASinc and https://www.hyas.com/.