Earlier this month Harry and I attended the second edition of the Cyber UK conference in Liverpool, hosted by the National Cyber Security Centre (NCSC) (https://www.ncsc.gov.uk/)
Across three days of talks, workshops, networking, and hacking challenges (which we won!) we heard a lot of ideas and opinions about the state of information security in the UK and how to improve it.
Two of those ideas particularly resonated and were repeated by multiple people in different ways:
Security is a team sport
Some voices at the conference suggested that security culture in organisations would be improved by making individual managers and development teams accountable for security breaches.
That sort of thinking feels not dissimilar from the adversarial relationships which you get in contract-driven working environments.
As a team which values “customer collaboration over contract negotiation”, we don’t think this sort of thing leads to positive results: security is everyone’s responsibility. That’s why (for example) every dxw employee, regardless of their job role gets a security briefing from an actual pen tester on their first day.
Stop punishing people
Thankfully a more common idea was that security is most effective when it focusses on helping people to do things well, not punishing them for doing things wrong.
This was best phrased by Emma W from the NCSC who said:
“People are not the weakest link. They are the only link. If security doesn’t work for people, it doesn’t work.”
She talked about how punishing users for falling for phishing attempts doesn’t make any sense: some are really good, so taking it out on the users wastes time and money, hurts users, and most importantly doesn’t actually change anything!
Rod Chapman of Altran UK summed things up nicely when he said:
“You can’t make software more secure by saying ‘be more careful, you idiots'”
Another frequently discussed topic was ‘shadow IT’: the systems that pop up when official tools and policies get in the way of doing people’s jobs. Perhaps they’ll share passwords to make sure that their colleagues have the access the need at critical moments, or make a spreadsheet of customer data to work around restrictions on processing personal data.
Traditionally the approach has been to treat this sort of thing as a disciplinary issue, backed up by awareness campaigns. But this is unlikely to be effective, since for the most part people know that they’re working around the rules.
The message from the conference was different: recognise that if people are resorting to shadow IT then there are problems with your security approach. Find out what those problems are and work with your employees to find more secure solutions to them.
Putting people back in the equation
Traditional security has focussed on policies and technology and has tended to treat people as a problem to be mitigated by those two elements.
The message at Cyber UK was loud and clear: a collaborative approach to security will be much more effective than an adversarial one.
In the words of Dr Richard Horne from PwC
“The attackers focus on people, process and technology, we need to as well”