It is firmly established that there is no such thing as 100% security – in fact, a security breach is not a matter of ‘if’ but ‘when.’ In other words, risk will always exist, and businesses need to shift their thinking from completely neutralizing it (which is impossible) to managing it accordingly.
Despite this reality, many business leaders unfortunately expect and demand 100% security from their teams. Because such a posture is impossible, companies will settle for a false sense of security to allow their people to function. This mindset is not only incorrect but irresponsible.
Business leaders must abandon this outdated notion of 100% security and adopt a mindset of risk management. This strategy asks questions about the size of the blast radius and how long it takes teams to detect and remediate. Such an approach also recognizes that humans play a fundamental role in cybersecurity – namely, managing risk – and adjusts strategies and processes appropriately.
Train General Employees Similarly to Cyber Teams
Despite the need for cybersecurity talent, the global shortage of nearly four million cyber professionals makes hiring difficult. This shortage places pressure on understaffed teams, forcing them to do more with less and consequently increasing burnout. Short of getting lucky and landing a skilled worker, businesses cannot magically solve the talent shortage through hiring alone. However, companies can bolster the security competency of their general employees to take a load off the shoulders of overworked cybersecurity teams.
General employees don’t receive sufficient training. The typical security awareness training is little more than watching videos and completing simple comprehension quizzes. It should come as no surprise that human error accounts for 95% of cybersecurity issues. Alternatively, businesses should provide the same training methods cybersecurity teams use to everyone else – namely, interactive simulations and life-like rehearsals.
Spontaneous security simulations, such as mock phishing emails, will allow companies to understand their workforce’s security fitness and offer tailored training to those departments that performed poorly. Plus, by using role-relevant training mockups, organizations can arm their people with the proper protocol for real incidents, reducing anxiety and instilling confidence.
Avoid Complexity, Design with People in Mind
Training is invaluable to strengthening a company’s security posture. But if security processes are too complex or cumbersome and not simple to use, no amount of training will encourage people to spend precious minutes trying to resolve an issue. For example, while employees may know not to click on a suspicious link, they don’t want to spend time confirming that the link is unsafe. Most likely, they might not know how to verify that a link is dangerous beyond their gut instinct.
Organizations must design security processes to incorporate principles of secure-by-design and human-centered design. The former approach places security as a core business goal rather than as some technical feature. The latter approach places people at the heart of the solution – more specifically, the designers are empathic toward the people they are trying to help. When dealing with shady links, for example, the security team and designers must create a user-friendly link verification solution that is not complicated but quick and easy to use, ensuring employees will perceive its value and be encouraged to use it to benefit the entire organization.
Interestingly, this trend toward human-focused security solutions continues to gain traction. Gartner predicts that by 2027, 30% of cybersecurity functions will redesign application security to be consumed directly by on-cyber experts and owned by application owners.
Implement a Zero-Trust Model
When businesses think about cybersecurity, they might imagine a castle with high walls and a deep moat. They build their fortress to repel outsider attackers, often forgetting the threats lurking inside the walls. These risks, known as insider threats, account for 60% of data breaches and can be malicious or accidental.
Zero trust is about managing the blast radius – meaning, if and when something bad happens, what is the size and amount of the damage; likewise, how long does it take teams to detect the breach and perform remediation? This model maintains strict access controls, verifies everything and monitors continuously. Zero-trust architecture also divides the network through microsegments to isolate and block attacks, restricting the lateral movement of bad actors should they gain access.
A zero-trust model transforms a simple castle into a labyrinth of passageways, gates, and checkpoints, minimizing the damage from intentional and unintentional threats. While this approach may seem overly distrustful of employees, it is more than appropriate in today’s unpredictable threat environment.
Every Individual Has a Role to Play in Security
Cybersecurity is constantly evolving with the introduction of new technologies. Generative AI, for instance, benefits businesses and bad actors alike, forever changing the landscape. Although technology continuously evolves, causing techniques and best practices to become irrelevant overnight, humans will always be a core element of any risk management strategy. As such, businesses must remember the influence each member of the organization has on the organization’s security wellness or lack thereof.
About the Author
Sam Rehman is Chief Information Security Officer (CISO) and Head of Cybersecurity at EPAM Systems, where he is responsible for many aspects of information security. Mr. Rehman has more than 30 years of experience in software product engineering and security. Prior to becoming EPAM’s CISO, Mr. Rehman held a number of leadership roles in the industry, including Cognizant’s Head of Digital Engineering Business, CTO of Arxan, and several engineering executive roles at Oracle’s Server Technology Group. His first tenure at EPAM was as Chief Technology Officer and Co-Head of Global Delivery.
Mr. Rehman is a serial entrepreneur, technology expert and evangelist with patented inventions in software security, cloud computing, storage systems and distributed computing. He has served as a strategic advisor to multiple security and cloud companies and is a regular contributor in a number of security industry publications.
Website: https://www.epam.com/
