2015 will certainly be remembered as the year of cybersecurity, and equally as the year of cyber in-security. While there have been many cyber incidents ranging from state-sponsored ones to ransomware, cybersecurity will certainly be etched in our hearts and minds for some time to come. On the positive side, there has been a lot of chatter about security analytics technologies covering end-points, applications, virtual servers and networks. No surprise that cybersecurity companies received over $1.2B in funding during the first six months of 2015 (Source: http://www.csoonline.com/article/2968438/security-industry/investors-pour-billions-in-to-cybersecurity-firms.html)
Well, I have a slightly different take on this matter. In chatting with CISOs in regulated and un-regulated industries, it has become quite obvious that the weakest link in the fight against escalating cyber threats or, Advanced Persistent Threats (APTs) is still the USER or staff and more specifically, user psychology.
To play this out further - What’s the point of procuring the latest and greatest cybersecurity technology, if your staff doesn’t use it? This would be analogous to someone purchasing the latest security system for their house with no enforcement mechanism to check who’s coming in through the front door. And, to take this one step further, a thief disguised as a utilities maintenance worker or, your substitute babysitter enters your home, shuts off the main power to the house and ransacks the place… Sound familiar?!
The simple question is: How do you ensure that your staff (both employees and contractors) are following the rules before you provide them keys to the kingdom, such as network access?! This problem is further exacerbated in a Bring Your Own Device (BYOD) world, a contractor work force, or just a geographically distributed team where users simply don’t want to follow policies set by the CISO. Furthermore, how do you ensure that the ‘good’ users are positively re-enforced to continue following the rules? In the same vein, how do you make sure the 'procrastinators’ are reprimanded, in some way?
In tech speak, this would be Governance, Risk, Compliance (GRC) meets cybersecurity technology and in the example above, identity management. 2016 promises to be the year for a much more holistic view on cybersecurity. At Entreda, we are excited to be part of this microcosm…