People are among the most critical, and yet, often the most overlooked and under-addressed aspect of information security for enterprises today. However, as critical as it is to have in place the right technologies to counter the emerging threats and expanding attack surface, it is equally important for organizations to strengthen their defenses on the people frontier as part of their cybersecurity strategies.
As clichéd as it may sound, this is easier said than done. As with anything relating to humans, upping the people defense as part of the overall corporate cybersecurity program also requires CISOs to first understand the complex workings of the human mind and its psychological underpinnings. This, in turn, may require a lot of un-learning and re-learning in the process as some of the popular assumptions they have worked by over years of their CISO career become questionable and redundant.
Akhilesh Tuteja, Global Cyber Security Practice Co-leader, KPMG lists down three of the biggest mental traps or assumptions that CISOs are used to working by when tackling the people aspect of cybersecurity within their organizations.
Assumption 1: Tendency to believe that if we have fixed something then it will work the way we expect it to work. We assume that the person who is using it is as much knowledgeable about it as us, and therefore, don’t try to idiot proof it. We allow it to be.
Assumption 2: When we test technologies from a human vulnerability perspective, we assume the world to be rational and normal. But, when things go wrong, people are not normal and rational. There is panic. While many a times you may do the right thing, but when under huge pressure you may not do the right thing. Compared to breaking systems down, breaking humans down is much easier. People get fooled around much more easily. Technology can be broken down but can’t be fooled around. It does the same thing all over all the time. We usually test systems for an ideal normal state, which we should not.
Assumption 3: Many of us as humans might still be in that denial state saying doesn’t happen because we haven’t seen this. The degree of consciousness is not there on what can go wrong because it has not happened to me in the past. A lot of things become more real when things go wrong with me.
While not wanting to generalize things, Tuteja believes that organizations in India are not addressing the human problem as much as they should and they need to do more because India is inherently a trusting economy. “We trust people more because that’s part of our DNA. Contrast that to some of the Western world where people don’t trust each other so easily. Because of these reasons I believe we are not doing enough,” he explains.
As a first step towards strengthening the ‘people defense’ of their cybersecurity game plan, CISOs need to break past the shackles of traditional thinking processes and start avoiding these mental traps.