At the sidelines of the recently held Gartner Security and Risk Management Summit, Jeffrey Wheatman, research vice president, Gartner, sat down with Security Advisor ME to discuss the important role that the human factor plays in cybersecurity.
The human aspect is often considered as the weak link of any security strategy. Is the lack of communication a big factor as to why people still fail to see the importance of cybersecurity?
I believe communication is ultimately about getting people with different perspectives and backgrounds to understand the issues around cybersecurity. So, for example, when you talk to executives about the fact that people within their workforce are causing the gaps in their security strategies, their solution is usually to issue stricter policies for reprimanding those who commit security blunders.
However, this is not an ideal solution. Accountability and responsibility should not be projected as burdens that punish employees. Doing so will only stifle employee productivity and hinder them from supporting the goals of the business.
So, the key thing to understand is how they can bring everyone within the organisation together and help them understand what the risks are. There are some people who are innately helpful and kind, and they will sometimes respond to emails or click on links without doing their due diligence to check if a certain communication is from a legitimate member of the company. This is what hackers are often banking on when conducting phishing attacks or social engineering.
That’s why there should be constant education within the workplace to help every individual recognise what a potential attack looks like. IT and business leaders need to find a way to get their employees to internalise these things and understand what the risks are to the business, their personal finance, their family and so on. There should also be regular training to help them understand the proper steps they can take to thwart these attacks. For a security strategy to be a success, there needs to be a security culture within the organisation.
While everyone plays a key role in ensuring security within an organisation, who is actually responsible for cybersecurity within the enterprise?
What organisations need to understand is that there is a difference between responsible and accountable. The CEO is not responsible for security. However, the CEO and the executive management team need to be accountable for the decisions that are being made around security strategies and investments. All organisations whether they are in the public or private sectors have to keep a balance between protecting and running the business.
With every risk that an organisation face, someone needs to be responsible for evaluating them and say, ‘Yes, we’re okay to accept that risk,’ or ‘No, we are not.’ The business, the board, the C level executives need to be making those decisions, be held accountable for them.
As for CISOs and other security leaders, their responsibility is to provide all the necessary information to the C-level executives so they can make informed and valid decisions.
Unfortunately, that accountability is not shifting as rapidly as we would like. And CISOs and security risk leaders are often becoming the scapegoats when cyber incidents escalate.
Artificial intelligence and machine learning are the latest buzzwords in the industry today. So, how do you think will AI and machine learning help close that skills gap?
AI is a double-edged sword because the attackers are also using AI and machine learning.
For those organisations who are considering buying an AI-enable solution and deploying machine learning technologies, they need to ask their vendors first, ‘What does your tool do better with AI than it did without it?’, ‘What does your tool do that it didn’t do before you had AI?’ and ‘How did AI make your offering better than your competitors.’
When it comes to automating solutions, you first need to understand what the different processes are within your organisation. Failing to do so will only do more harm than good especially for large enterprises that use multiple processes.
That being said, AI is very instrumental in reducing cumbersome tasks like data and event management. If you have hundreds of millions of threat data that you need to evaluate automated tools can help you get rid of the background noise. It is also helpful in analysis aspects such as basic blocking and patching. Increasingly automation is also becoming helpful in penetration testing and vulnerability management. But there are no perfect solutions, but these tools can get us closer to where we need to be.
How do you think will security roles transform in the next 12 months?
So, I think we need to see more security and risk leaders who have business acumen and can understand a profit and loss (P&L) statement. We need those who can go in front of the board of directors and have an engaging conversation about why security is an important investment instead of just throwing technical jargon at them.
I believe security and risk management leaders, both here in the Middle East and across the globe, will play an important role within businesses going forward. They will be instrumental in helping build a consensus between the IT and business functions of the organisation in terms of making decisions around security strategies.