In the lead-up to the 1992 US presidential election, Bill Clinton’s campaign famously displayed a large sign that read “It’s the economy, stupid” in their headquarters. This sign served as a constant reminder of the campaign’s most important message. As we approach the fourth quarter of 2023, many Chief Information Security Officers (CISOs) would benefit from a similar sign in their conference rooms that reads “It’s the people, stupid.”
Looking back at 2023 and ahead to 2024, it is clear that this year has been rife with distractions for executives in the cybersecurity field. From wars to new malware campaigns, industry mergers, and generative AI, these developments demand a great deal of attention from executives. However, it is essential that amidst these distractions, executives do not lose sight of the individuals who attack, use, and defend their enterprise infrastructure.
Executives often discuss the significance of generative AI in amplifying the efforts of their technical security staff. While other industries are exploring the possibility of replacing staff with AI, the cybersecurity field recognizes the existence of a skills shortage. Therefore, a more realistic view of AI has emerged within the cybersecurity community.
Although the cybersecurity staff benefits from the multiplication effect of AI, the same cannot be said for the broader population of users. There is a danger that executives may draw wrong conclusions about the role employees play in cybersecurity due to these distractions. Some executives mistakenly believe that employees are their first line of defense against threats and attacks, both internal and external. However, this is only true if the cybersecurity infrastructure is poorly designed and implemented.
In reality, employees are the last line of defense in cybersecurity. Before a malicious payload, criminal URL, or fraudulent message reaches an employee, it must pass through multiple layers of screens, filters, and defenses. Nonetheless, because employees serve as the final barrier, it is crucial that they receive proper training to recognize and respond appropriately to the threats that manage to reach enterprise screens. Continuous training, practice, and retraining are necessary to ensure that this last line of defense is fully prepared to protect the enterprise.
In the pursuit of combatting malware payloads, system vulnerabilities, and malicious campaigns, executives sometimes overlook an important aspect: all of these are initiated or taken advantage of by human beings. These individuals have goals, make mistakes, and can be understood in the same way as any other human beings. By striving to understand these individuals, it becomes easier to overcome their technology and tactics. It is important to note that this perspective should supplement, not replace, the focus on tactics and technology.
By keeping people at the forefront of cybersecurity planning, organizations can practice proactive security measures that address issues before they are successfully exploited. Additionally, this approach provides critical context for building successful cybersecurity strategies that can adapt to changes in the technologies and tactics employed by these criminal human attackers.
As we move forward, it is crucial for CISOs and executives in the cybersecurity field to remember the importance of prioritizing people in their strategies. While new developments and distractions may arise, it is the human component that ultimately plays a critical role in defending against cyber threats. Just as Bill Clinton’s campaign sign served as a constant reminder of their key message, CISOs would benefit from a similar reminder to keep people at the forefront of their cybersecurity efforts.