As anyone who’s been paying attention at this week’s RSA Conference in San Francisco has learned, the human element in cybersecurity can mean many things.
From employees introducing vulnerabilities and the well-documented shortage of IT security workers to the need for more collaboration between a security team and the rest of an organization, attendees have gotten constant reminders that the cybersecurity World has for too long underestimated the rule humans play in the security mission.
With that in mind, I set out to find out what the human element, which happens to be the theme of this year’s conference, means to them.
I posed the same question to everyone I spoke with: What does the concept of the human element mean to you as a security professional? And just as the Conference has reflected, the responses I got ran the gamut.
Natalie Haywood, a first-time attendee who heads up information security for Portland, Ore.-based nonprofit KinderCare Education, said it means ensuring that everybody’s eyes are wide open. Haywood believes that starts with something the industry has traditionally done poorly: helping users better understand their security role.
“The attackers spend a lot of time getting into our heads, and they’re winning,” she said. “Any good program relies on adoption, and in security we rely on enforcement. We’ve got to get past that.”
For Brad Carlton, an IT manager for the Zeeland, Mich., Board of Public Works, the term human element brings to mind the culture of resistance that characterizes his user base. He’s trying to change that through education.
“I don’t think people fully understand the risks we face and what the implications might be,” said Carlton. “Employees are your first line of defense, but they’re also your biggest vulnerability.”
Our question spurred thoughts of staffing challenges for Amir Velho, a security product owner for Brazilian IT consultancy Agility. Specifically, he said Agility is having difficulty finding security employees who can effectively communicate both internally and with customers.
“How can we help our people start to answer the big security questions?” Velho asked in response. “We can’t do it with artificial intelligence or with other machines. We must have people to answer these kinds of questions.”
Peter Smith, an account rep for Nexum, a Chicago-based value-added reseller of security solutions, had a different take on the staffing issue, pointing to the fact that there simply aren’t enough job candidates with the skills companies need to keep up with the endless parade of security tools they’re turning to today to manage their increasingly complex hybrid environments.
“The cloud is eating the world, and every organization is strapped for people and skills,” Smith said. “That's the human element."
Rashmi V, CEO of ITASC Solutions, a San Mateo, Calif.-based IT auditing, security and compliance consultancy, had the most direct reaction to the question: that security succeeds and fails because of humans.
“Whenever you’re working on security, you need to take humans into consideration, not just technology,” Rashmi said. “Humans are the ones not taking care of security requirements.”
But she also acknowledged that it’s not just about security practitioners remembering that there are humans on the other end of their actions. If those humans don’t hold themselves accountable, the efforts of the security pros will be rendered moot.
“You need to understand how your action or inaction can lead to breaches,” said Rashmi.
One thing’s certain: That would make a lot of security folks mighty happy.