Panel Discussion: “Delivering the Strongest Link”
-
The attackers focus on people, process and technology (probably better than the rest of us do)
- “What does it look like to put people first”
- Business asks people to take personal responsibility for their work, Security intsead acts as C&C - clash of cultures
- Shift: listen to and engage with staff to understand the reason that they’re not complying with policies
- Reaction to noncompliance is to run awareness campaigns: these don’t work, because awareness often isn’t the problem
- Give a company the ability to lock things down and they will lock
EVERYTHING down - unusable
- IT don’t trust users to not make mistakes
- “shadow security” - people finding their own ways of protecting their stuff
- Analogy to Health and Safety - a super innovative thing at the time - we need something equivalent for security
- Role of boards
- Need to pass these ideas down into the supply chain. Otherwise we’re just ‘hiding the mess’
- It’s not “deep technical expertise or nothing”
- Need to get rid of compliance culture
- “It’s not black and white. We are taking risks: what are those risks”
- Need to find why it matters to the board:
- Don’t start with compliance: start with risks, and the way it helps you move faster with more confidence
- Risk is conflated with lack of compliance
- ?
- Security is seen as a pain because the sec community treats risk as a
checkbox exercise: why should anyone else care
- conversation is one-way
- need scalable tools to allow SMEs and small business to benefit
- Don’t burden SMEs with a load of governance - they can’t handle it
- Security is seen as a pain because the sec community treats risk as a
checkbox exercise: why should anyone else care
- Cyber skills shortage
- Mid-career pivots
- Need cybersec ability in Law, medicine etc
- Massive lack of diversity of skills in cyber professionals
- Need to stop “having a go” and bring in specialists
- If people keep viewing this as something superhuman, they’ll never think it’s something that they can do
- Do we underestimate the value of face-time
- People remember personal stories
- War stories, personal experiences
- Humans speaking in person in a trusted closed circle are more likely to share near-misses
- Fear campaigns: if people are afraid but don’t have the skills to mitigate risks then you don’t get good results
- Send the right people: middle aged man in a suit is unlikely to get a team of devs to open up to them
- Need to make sure that people are engaging in open conversations because if not then
- People remember personal stories
- Advice for CSOs
- Spend a lot of time understanding all parts of the business - not just the bits falling in security domain
- Move beyond red/amber/green
- Stop perpetuating the security silo: it’s everybody’s problem