There is much written about long lists of cybersecurity problems (most of which practitioners may already be aware) or even potential solutions, so perhaps it is beneficial to take a moment to reflect on how the state of information security has changed over the years. Security challenges—the way they are approached, the processes in place to address them, the people trying to solve them—all seem to repeat themselves without anything fundamentally changing.
Undoubtably, most would agree that organizations, governments, and society as a whole rely on the Internet with all of its associated technology, services, and conveniences now more than ever before. Combined with the shift to a hybrid workforce triggered by the COVID-19 pandemic, the threat landscape has changed throughout the past several decades and a wide range of products and solutions has entered the market to tackle the new and increasing number of threats from a technology perspective.
Security professionals have worked hard over the years to drive a more security-aware culture in organizations, employees and day-to-day life. In addition, policies and processes have evolved and organizations now must adhere to an increasing number of regulations and attempt to align themselves to well-known frameworks such as the International Organization for Standardization (ISO) standard ISO 27001. But the “people” component of the people, process and technology (PPT) triad is still the biggest hurdle to achieving a good security outcome.
Of course, one could argue that people also learn and evolve over time—and to some degree, they do. But there are fundamental human traits that make it seemingly impossible to progress beyond a certain point. Organizations must deal with many complex factors as part of business operations, such as competitive aspects resulting in time pressure, insufficient funding and/or resources, lack of knowledge, weak leadership or even inappropriate organizational culture, to name a few. These factors have not changed over many years. If anything, they have gotten worse.
Consider an organization or its customers. One would struggle to find an enterprise today with employees who claim they have plenty of time to do their work properly, they are sufficiently staffed, there are always enough funds available for new equipment and, overall, things have improved over the years. And while the recent trend of more automation attempts to solve many of these problems, fundamentally, the same challenges persist.
The people factor is worth closer examination. Of course, some organizations do a better job at instilling good security habits than others. But looking at the bigger picture involves considering the typical employee, not a tech-savvy member of the IT department.
When it comes to security, non-security-minded individuals may feel that they have no time for it, that they are not interested in it, or that they do not care to learn about it. An employee may ask themself “If bad things happen to others and not me, why should I care?” To put it another way, flawed information security can be attributed to those who are ignorant (because they do not want to spend time learning about security and/or are not interested in it) or complacent (because they believe bad things happen only to others and not themselves or their organization).
Flawed information security can be attributed to those who are ignorant (because they do not want to spend time learning about security and/or are not interested in it) or complacent (because they believe bad things happen only to others and not themselves or their organization).
It is true that various training and education campaigns exist with the goal of changing these attitudes, and that is a good thing. However, despite these efforts, people fundamentally do not want to change their attitude toward cybersecurity. The average employee only participates in a mandatory, biannual online refresher on information security in the workplace or a random phishing awareness campaign because they have to do so. They may consider it a nuisance, something they just want to complete, and pay little attention to the importance and purpose of the exercise. Why? Because the employee is not interested in it, does not have time for it or does not fully understand it. It is possible that as far as the employee can remember, the organization has never experienced a security-related issue. As a result, they do not understand why they should care.
Unfortunately, ignorance, complacency and a lack of knowledge are not limited to the typical employee. Such attitudes can be observed at every level of an organization, including senior leadership. Combined with the everyday complexities and challenges of running a business, it is evident how counterproductive this is to everything that information security stands for. The potential outcomes of indifference toward information security can be, and have been in many cases, disastrous. Organizations and institutions around the world have experienced breaches on a massive scale with severe implications on many levels.
Consider an example of a real-world scenario involving the investigation and clean-up efforts that followed a cyberattack on a large national institution that is part of the affected country’s public health care system. The fallout from this attack resulted in multiple large hospitals and many smaller health care facilities throughout the country being forced to revert to manual and paper-based processes as many of their critical IT systems had been affected and, in some cases, were entirely inaccessible. Needless to say, in one way or another, patient care was affected. It took several weeks to bring many of the systems back online.
As part of the overall investigation that followed the concepts and principles of an audit, a cyberprofessional interviewed many individuals from different ranks and departments over the course of 10 days. Starting with IT and operations management, the cyberprofessional spoke with staff working in asset management, risk management, information security, IT architecture, and operations, in addition to several non-IT employees. Along with these interviews, the cyberprofessional reviewed numerous documents (e.g., security policies, network design documents, diagrams) and artifacts related to internal audit processes and operational procedures.
While much of the focus (and blame) for the fallout was directed at the operations team, after about 5 days of interviews and document reviews, a bigger picture of the true underlying causes emerged—not so much of the attack itself, but of the widespread damage that followed.
A long list of shortcomings emerged, which demonstrated how complex it is to do information security right from end-to-end in a large organization. While not an exhaustive list, the following were several key discoveries:
- The executive leadership team did not pay enough attention to security, due in part to a lack of knowledge and understanding, but primarily because the priority and focus was patient safety rather than IT security.
- While some members of the IT department and risk management team informed senior leadership of impending threats and risk factors on a regular basis, it did not amount to the required response from senior leaders. IT management had insufficient security knowledge and/or were unable to articulate the issue to the C-suite level in a way that they could understand.
- Architects working on several IT projects over the years had little security background and experience, but, nevertheless, tried to incorporate security into new design and deployments to the best of their abilities. Many such projects did not progress past the design stage, leaving the organization with an aging infrastructure that showed security weaknesses in many areas.
- Best practices for the operational processes of managing infrastructure and security had not been followed, in part due to a lack of mandating policies, but largely because of a lack of security knowledge among the IT and operations teams. This was exacerbated by a staffing shortage on these teams, impacting their ability to think and act beyond daily “break-fix” activities.
- Because there was no chief information security officer (CISO) present, the security manager was the only security-minded employee at the organization and that person lacked sufficient knowledge and power to make the changes necessary to improve the organization’s security posture.
- Many non-IT employees showed little understanding of, or interest in, information security, which could be largely attributed to insufficient training during initial onboarding and a lack of regular cybersecurity awareness campaigns
A long list of shortcomings emerged, which demonstrated how complex it is to do information security right from end-to-end in a large organization.
Returning to the idea of employee ignorance, complacency and lack of knowledge, it is believed that what really caused the massive disruption was not the attack itself, but rather a combination of the following:
- Insufficient security awareness and knowledge at all levels of the organization
- Ignorance and complacency at the executive and senior leadership levels
- Lack of an executive leadership position dedicated to security
- Insufficient resources and security knowledge, particularly within the operations team
- Internal politics resulting in agendas that were counterproductive to overall security posture
- The absence of security policies and procedures including their enforcement, specifically processes for how to deal with a cyberattack
Conclusion
There is not a known tidy solution to the aforementioned issues, and there may not be one at all. The best option for security professionals is to continue educating employees at every level of the organization. When thinking about security, many people immediately think of all the products and solutions that one could buy to keep an organization and its people safe. However, even the best technology is not effective if people continue to underestimate how devastating ignorance, complacency and a lack of knowledge can and increasingly will be.
What organizations fail to understand is that security weakness does not stem from a single employee doing the wrong thing, the one operational policy that is missing, the senior leader who does not understand security or the product for which there is no funding. The true danger lies in the combination of all factors which represent the biggest risk to an organization. In the technology space, it is often said that visibility is key to understanding what is happening in the security environment. One cannot protect against something they cannot see or even know is there. As such, many vendors aim to design solutions that allow for full visibility into all areas of the network and applications on which the enterprise relies. Visibility is made possible by gathering data from many points in the network and the application stack. The data allow visibility and, in turn, help to build a bigger picture of what is happening on the security landscape.
A similar approach should be used to address the human aspects of security at all levels throughout an organization. In the technical realm, security posture assessments are conducted, policies are reviewed and updated, operational practices and procedures are assessed, employees are trained and educated, and awareness programs and educational campaigns are developed to convey what it means to be a good digital citizen. These are all important and relevant practices that should continue. But while they are good starting points, having many individual point solutions without an element to bind them together from a visibility perspective cannot be wholly effective.
What organizations and many of their leaders are missing is an end-to-end view of their security posture in the people context of the PPT triad. Organizations should conduct regular assessments of this area within the context of information, network and cybersecurity, as is done in the IT space. The fundamental question for leaders should be: “If a serious cyberattack hit our business tomorrow, how well are we (the entire organization including all employees and resources) prepared for it?”
In addition, an organization should ask itself a number of key questions:
- Does the leadership team have the required experience, knowledge, understanding and interest in enterprisewide security?
- Does the leadership team give security the appropriate level of attention and understand the consequences of failing to do so?
- Is there an executive leader with a security focus who drives security throughout the entire organization?
- Does the organization understand the value of all its assets and risk levels associated with those assets?
- Does the organization understand the relevant threats to its assets, people, resources and the enterprise itself?
- What is the general enterprise culture, especially in terms of information, network and cybersecurity?
- How skilled and experienced in security are the various IT and operations managers and their staff?
- Do critical IT, security and operations teams have sufficient resources to respond to attacks?
- Are there appropriate policies and procedures in place to respond to a cyberattack and are all stakeholders aware of them?
- Do employees, especially in the wider IT department, know and follow the processes for responding to attacks and any business impact as a result of them?
Weakness in 1 or more of the areas severely weakens an enterprise’s security posture, which can have serious consequences for the organization and its employees. To combat this, organizations must develop a holistic view of their people posture. Only then can an enterprise identify its strengths and mitigate its weaknesses and the risk posed by employees in all roles and across all sectors of the business. As long as the human aspect continues to be overlooked, security professionals will keep doing the same things year after year.
Editor’s Note
Hear more about what the author has to say on this topic by listening to the “The Impact of People on Information Technology Landscape” episode of the ISACA® Podcast.
Thomas Lenzenhofer, CISA, CISM, CDPSE, CISSP, ISO 27001 IA
Is a business development manager for the Security Services department at Cisco Systems Australia. In his 30-year IT career, he has worked in countries across multiple continents and held several positions such as network support engineer, security solutions architect, and enterprise security architect, with the last 20 years focused entirely on security.