Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

The Weakest Link is the Human Link

“A chain is no stronger than its weakest link, and life is after all a chain” -William James

I was reminded when talking to a friend and colleague this week that security is, fundamentally, about people. It is basically a social activity for all that we focus so intently on the technology and on the minutiae of events. And while there isn’t always a traitor to point to, there is always a uniquely Human dimension to security.

“A chain is no stronger than its weakest link, and life is after all a chain” -William James

I was reminded when talking to a friend and colleague this week that security is, fundamentally, about people. It is basically a social activity for all that we focus so intently on the technology and on the minutiae of events. And while there isn’t always a traitor to point to, there is always a uniquely Human dimension to security.

Weakest LinkAnd why not? After all, we are building systems and networks that serve people. These are in turn serviced by people and require security to prevent other people from stealing or denying or modifying what we as people fundamentally value.

That means that this is ultimately about Human psychology and about Human strengths, weaknesses and foci.

This is found even in our definitions of intelligence and our approach to artificial intelligence. The Turing Test, for instance, is all about proving “real” intelligence by the standard of measuring responses by a machine in the imitation game to the point that someone else whom we know to be “really” intelligent is convinced that they are in fact communicating with a person.*

What’s the point of this? It’s that ultimately, we are the weakest link. We have to stare right at that and realize that our inability to be omniscient, our propensity to be conned and our frailty and faults in reasoning will invariably lead us to make mistakes and open exposures for our companies.

The good news is, though, that knowing that we can start to deal with the Weakest Link differently. This is not a zero-sum game, and it’s not a binary situation. We need to realize that the attackers are also limited in their Human frailties as well, and that’s where things get interesting.

This Human frailty dimension is true organizationally for us in defense and in building companies and business units and operational teams. The largest challenges that we face in dealing with disruptors isn’t actually the technical dimension, it’s the Human one.

I was asked by a fellow security professional the other day how to go about using DLP** to do classification in the environment. The conversation was basically “page three of any good security manual drills into information classification – it’s the no-brainer of security…so why aren’t we doing more of it as an industry.” The answer is actually a little scary, but doing DLP for DLP-sake without any institutional understanding of risk and what the implications of enumerating data might be means that, in a sense, a DLP project potentially opens Pandora’s Box.

Advertisement. Scroll to continue reading.

Imagine an enthusiastic, well-meaning data discovery and classification project sets out and finds data and classifies it. Imagine that it finds some good things and some bad things in a modest-sized environment. So what’s next?

Do you tell your manager and what does he or she do then? Do you approach Legal, with hands trembling and shaking around the paper with the telltale results in hand and try to explain the results and what the implications might be? Or do you immediately seek funding for the projects to contain and limit the scope of the data sprawl that you’ve discovered?

Now admittedly knowing is better than not knowing, especially now where ignorance for most organizations is not an excuse. However, the whole thing is a lot easier if the difficult challenges of having a lingua franca around risk are in place ahead of time and if the Human dimensions of the problem are put to rest before starting the scanning and classification.

The first instinct when faced with a technical problem (and what could be more technical than data classification?) is to find a tool…when in fact the first step should be to adapt processes and organizational relationships to understand data-related risk. If that’s done first, then the subsequent deployment and use of a tool to discover and classify data is trivial and actually routine.

So we come back again, to the weakest link: the Human link. The best constructs and systems that we build are actually most effective and focused when the Human beings around it are focused and coordinated. Likewise, the attackers who seek to invade and disrupt our businesses and our lives are most effective when they too solve their Human-related issues and all pull together and they are most effective in their tasks when they disrupt our organizations and exploit that weakest link.

We in security are technologists and often deep thinkers around technology issues, and I think that we should all stop and think about the Human dimensions in any project or risk assessment, in any briefing or task; and we should focus on the people, the processes and the way we manage risk in general in our companies before we dive into the tools and intricacies of our trade. That’s fun and it’s what we love, but I’d rather our work was more effective and focused by leveraging Human strengths when coordinated together than when driven apart by isolation and seeing seams exposed in our organizations that don’t have to exist.

* consider that intelligences might exist or be created that neither care for nor can relate to a Human mode of thinking and might quite easily be classified as “insane” by most psyche-professionals…in fact would almost certainly be classified that way (unless of course someone knows of a Old One, Cthulhu therapist).

** I still don’t like the name DLP: not only is it an acronym, but it’s an operationalized naming that limits the way we think about it to just the simplest use cases (e.g. email and USB leakage), which it should of course address. What it should really be is a tool to create an information stack that can accept policy and report on state…that is far more useful conceptually to an organization that just “stop USB leakage.”

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem