View this email in your browser

Defense in Depth

Security That Accounts for Human Fallibility

We expect our users to be perfect security responders even when the adversaries are doing everything in their power to trick them. These scams are designed to make humans respond to them. Why aren't we building our security programs to account for this exact behavior that is simply not going to go away?

Check out this post for the discussion that is the basis of our conversation on this week’s episode of Defense in Depth co-hosted by me, David Spark, the producer of CISO Series, and Steve Zalewski. Our guest is Ken Athanasiou, CISO, VF Corporation.

It’s far easier to blame users than to fix our systems. Mistakes happen, yet we don't configure that bias into the security programs we configure. "Seems to me we underestimate the depth, breadth, and dynamics of culture change and how people change and how we change people. So the easiest thing to do is just blame,” said John T. of Quest Software. Blaming people doesn’t solve the problem and if you choose to provide punitive measures for mistakes, you probably won’t get much change. You’ll probably damage your corporate culture. 

Walk a mile in your users’ shoes. "It's tough to understand the end user's position and think about what their workday looks like and how to embed yourself,” said Ayoub Fandi of GitLab. Part of the cybersecurity professional’s job is to elevate the performance of their employees. "We talk at them (or worse, down to them) with our training, instead of making them part of our defenses,” said Brennan O'Brien, CISO of Genesis Financial Solutions. Go ahead and ask your employees what the toughest part of their day is and where they may be prone to make mistakes. That’s exactly the information you need to do your job better so they can do their job better.

Employees should understand their value to the business. We often say to employees that if you make a mistake, let us know. But even though we say that, no one truly believes it. "What we should be striving for is the psychological safety to make mistakes and own them," said Simon Goldsmith of OVO. It’s important to create a culture where they do truly believe that, and the way you do that is for them to see how their contributions play out to the rest of the business. "If you take pieces from a bunch of different places/platforms and aggregate them so they understand how they fit into the bigger picture, that is an employee's risk level,” said Bryn Standley-Ossa of Segment. 

It’s security’s job to make it right for the user, not the other way around. "When faced with the option of doing what is ‘right’ vs ‘what is easy,’ users will always tend to do what is easiest for the task at hand,” said John Scrimsher, CISO of Kontoor Brands, “Ultimately the best answer is to ensure that what is right is also the easiest option.” And users are already saying this, noted Jonathan Waldrop of Insight Global. They’re literally saying, “Make it easy for me.”

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Thanks to our podcast sponsor, Code42

LIVE!

 Cyber Security Headlines - Week in Review 

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines 

with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Brett Conlon, CISO, American Century Investments.

Thanks to this week's headlines sponsor, Trend Micro

Cyber chatter from around the web...

Jump in on these conversations 

"Do you wish cybersecurity companies marketed better?" (

More here

)

"How to keep yourself updated? Expanding knowledge daily and exploring topics?" (

More here

)

"Advice for a newer Cyber guy to improve/create a cyber security infrastructure." (

More here

)

Thank you!

Thank you for supporting CISO Series and all our programming  

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.