October 24, 2023
In today’s world, it would be tone deaf to deny that humans are often labeled as the weakest point in the cybersecurity chain – there we said that at the lowest possible decibel to begin our inaugural blog.
To clarify, we are talking about human-centric risks in workplaces, but we don’t mean the risk of them being insider threats with malicious intent, nor do we mean humans posing threats from a physical perspective to in-office or building-related security.
What we mean is this: Employees at all levels of an organization are simply unaware of their own security posture and their outstanding security gaps, tasks, risks and issues. This lack of awareness within the workforce then drives a friction-filled not-so-stellar relationship with their security teams, and any interaction seems like a knock on the knuckles. In fact, employees are aware that they don’t behave securely, and they simply proceed with their insecure behavior, bypassing controls for productivity reasons. They have developed a mindset that security is someone else’s responsibility and security teams only engage them when something is wrong.
A Gartner survey conducted in May and June 2022 among 1,310 employees revealed that 69% of employees have bypassed their organization’s cybersecurity guidance in the past 12 months. In the survey, 74% of employees said they would be willing to bypass cybersecurity guidance if it helped them or their team achieve a business objective. Reading between the lines, it means that security and productivity are – in their eyes – at odds.
Human-centric security is an approach to cybersecurity that recognizes all these facts and dynamics and instead focuses on the human element of the security equation. This means educating, empowering, engaging and leveraging humans as a key factor and asset for security versus treating them as a liability or vulnerability. It happens by modernizing the security culture where every human in the workforce eagerly and enthusiastically participates in their own security — by collaborating with the security team and celebrating small wins everyday. When was the last time you high-fived or hugged your security team because they complimented you on good behavior? (Or when you were vibing with them cuz they were rocking out your fav tunes and amping you up?) That represents true commitment to humans as the center of cybersecurity practices.
Gartner has identified Human-Centric Security as the #1 Cybersecurity Trend for 2023, recommending “security leaders must pivot to a human-centric focus to establish an effective cybersecurity program, and is essential to reduce security failures”. It goes on to say that “By 2027, 50% of large enterprise chief information security officers (CISOs) will have adopted human-centric security design practices to minimize cybersecurity-induced friction and maximize control adoption”
We bet you’ve already experienced human-centric security as a consumer in your personal life.
You most likely have a credit card, and at some point, your credit card company has called or messaged you to verify whether a recent transaction was real or fraudulent. You provided context and then either approved or declined the transaction. You were engaged, empowered and asked to take action – you as a human participated in your own security!
Why did your credit card company care to reach out to you, the human, to execute this last mile of security defense? They employed sophisticated fraud detection technology and automation to identify this risky card transaction in the first place, and could have extended that automation to deny or approve the transaction. Well they reached out because they recognize that automation and AI has its limits – and getting it wrong is disruptive to the trust and convenience of the consumer. This reinforces the point that there is a trade-off between security and productivity and that engaging the human is key to making both work in harmony.
So how could security teams possibly leverage human-centric security for their workforce users? One obvious area is Identity security: most organizations have an identity management solution like Okta or Microsoft Azure AD or Google IAM that sends workforce users notifications – “was this really you?” – to their mobile devices. This typically happens when there is anomalous login activity, such as from an unfamiliar device, location or unusual login times to access company resources.
Have you ever wondered how a human-centric approach would address some of the key friction points related to other areas of security in the workplace?
Patching out-of-SLA vulnerabilities and software updates – We’re all too familiar with delaying and postponing patches or updates on your desktop or laptop to a point where security teams start sending you warning messages. And at some point it’s out of your control – the update is forced on your computer at the most inconvenient time, typically during an important meeting or a work project. What if security teams could individually reach out to employees and truly collaborate with them to schedule a convenient time to patch based on your free time slots and then actually apply the update at that time? Oh and how about communicating the criticality of the update with empathy based on individual roles and with context by educating you on the cost of delaying it?
Anomalous SaaS app activity – You are working in your favorite SaaS productivity application such as Google Drive, Dropbox, or Slack and just shared some content externally. Either the permissions were too broad: to everyone in the public, the content had sensitive corporate data, or it required granting new access permissions to another SaaS app/integration that is risky because it is too broad or the permissions too long-lived. These happen so quickly and frequently in today’s SaaSy world that employees are unaware of the implications of their actions. What if security teams reached out to you to educate you on this behavior and gathered critical human context for such activity to determine whether the action was legit and took corrective action without hurting productivity?
Modern security practitioners are trying to create an environment in which humans exhibit strong security behaviors. To secure organizations, they want to secure people. To secure people, they want to change human behaviors. To change human behaviors, they want to both motivate and empower them to change. That’s where human-centric security for workplaces comes in.
If human-centric security were to be implemented in workplaces, then it would build a sense of “cyber judgment” for the workforce – the ability for employees to make cyber-informed decisions autonomously. It would scale the pockets of cyber expertise and democratize security to the whole company, help it become “business as usual” where “security is on by default” everywhere. It would truly enable security practitioners to deliver on the promise of balancing security with human convenience. It would smoothen road bumps for cybersecurity since people will not be circumventing controls!
It’s about empowering the workforce- the humans on whom you rely – with ways to solve their challenges and also clearly articulate the ways humans make a difference in security. The feedback loop is really critical as people want to know, “Why am I doing this? What’s in it for me? Am I helping the organization? Is what I’m doing effective?”
In future blogs we’ll dig into how to implement human centric security in workplaces, the cultural impact it can have on the workforce, so stay tuned!
Does your workplace implement human-centric security practices? Share your experience of what has worked and what has not – we would love to learn through your commentary!