Where conventional wisdom says humans are the weakest link in cybersecurity, Lance Spitzner counters they are the primary attack vector.
It could well be one of the community’s own inadvertent creation too. Security professionals tend to be technical, he says, which causes the industry to focus on technical solutions while overlooking the “human side of security.” As a result, threat actors are focusing on people.
Mr. Spitzner is an instructor and the director of Security Awareness for the SANS Institute. He shared this idea on a webcast for the RSA Conference organization titled, Leading Change for CISOs: Embedding a Secure Culture. In addition, his presentation outlined practical tips for building a culture of cybersecurity which seemed useful to highlight here.
For illustration, he presented a slide of the numerous technical controls Microsoft has implemented for the Windows OS over the last 20 years. He knows from his research, that if he connected a machine web running an older version of Windows – with the default configuration settings – a threat actor would scan it and attack within three hours.
By contrast, if he did the same experiment with a modern version of Windows, hacking into it would be “really, really difficult now.” This is because the security community has become very good at “using technology to secure technology” and it remains secure “until a human [being] touches the keyboard – then all bets are off.”
Security Culture in Need of Upgrade
Gaps in security culture have shown up the root cause analysis of incidents that are initially categorized as a technical vulnerability. Mr. Spitzner points to the 2017 Equifax breach as a case in point.
Initially, the cause was traced to an unpatched exploit in the Apache Struts library on the Equifax web servers. Many concluded the catalyst was a vulnerability that wasn’t patched, yet a comprehensive Congressional breach report pointed to a different root cause: culture.
As it turned out, at the time of the breach, the CISO at Equifax reported to the corporate legal department, while the CIO reported to business leadership. Importantly, the CISO and CIO had little interaction. As Mr. Spitzner put it, they didn’t talk to each other. So, while he admits there were a number of technical factors involved in that breach, those were “ultimately driven by people and culture.”
3 Tips for building a Culture of Security
While the skills for building a culture of cybersecurity are different than technical skills, Mr. Spitzer says there’s a large body of knowledge that’s readily available (he cited and recommended several books which we will list at the bottom). At a high level, he says creating a culture is largely about change management. To that end, here are some of the tips we gleaned from his presentation.
1) Dedicate someone to the cause.
Changing a security culture is so important that it merits a champion; it is not an additional duty. Mr. Spitzner recommends assigning someone that is dedicated to security awareness and engagement across the organization. He says not doing so is like saying you want an incident response program without staffing the function.
2) Seek to add soft skills to the security team.
Too many organizations set out to build security awareness programs and put security teams in charge of it. There are two challenges with this approach. First, security teams are already overwhelmed with their operational duties. Second, these programs require skills beyond the traditional technical skillset these teams typically possess. A better approach is to put someone with soft skills in charge of the program. If you don’t have the resources for this, Mr. Spitzner suggests security leaders partner with other business functions like marketing or communications for help.
3) Review and simplify complex security policies.
If a group is motivated and a task is easy, there’s a higher likelihood that the task will get done. Conversely, if a task is hard and the group is unmotivated, then it’s not likely to ever happen. That’s the gist of the Fogg Behavior Model, which Mr. Spitzner displayed to convey the notion that change is a function of two variables: ability and motivation.
He cited traditional password policies to make this point: many required 16 characters with upper case letters, lower case letters, numbers and symbols. Users weren’t supposed to write these down and were required to change passwords every 90 days. Couple that with the fact most people have a large array of password-protected accounts and it’s easy to see how it becomes too hard to manage and the culture resists.
As a result, the top 10 most common passwords today are the same as they were a decade ago. Its clear people aren’t changing their behavior, and while one might conclude that’s a motivation problem, Mr. Spitzner says it has more to do with ability. Understanding the difference between ability and motivation is a good framework for identifying complex security policies that are ripe for simplification.
* * *
Mr. Spitzner closed his presentation by quoting the security luminary Bruce Schneier, which sums up his message nicely:
“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”
The books he recommended as references for security professionals seeking to drive cultural change are:
- Made to Stick by Chip Heath and Dan Heath;
- Start with Why by Simon Sinek;
- Fast and Slow by Daniel Kahneman;
- Never Eat Alone by Keith Ferrazzi;
- Blink by Malcolm Gladwell;
- Nudge by Richard H. Thaler and Cass R. Sunstein;
- Switch by Chip Heath and Dan Heath; and
- Leading Change by John P. Kotter.
His full presentation, which is embedded nearby, runs just about 45 minutes and is well worth a listen.
Leadership, Culture and Business Savvy: 13 Big Cyber Security Ideas for the CISO by CISOs