09-17-20 - What's Smart About Calling Your Users Stupid?

What's Smart About Calling Your Users Stupid?

September 17, 2020

CISO Series

This week's episode of Defense in Depth

Calling Users Stupid

Defense in Depth: Calling Users Stupid

is hosted by me, David Spark, producer of CISO Series and Allan Alford. Our guest is Dustin Wilcox, CISO, Anthem. All three of us discussed:

  • Security people have notoriously had a "better than them" attitude towards their users who they view as the ones causing all the problems and making their lives more difficult.

  • Calling users stupid for making a "mistake of effort" even if it's behind their back does not foster a bond with the security team. It fosters the us vs. them attitude.

  • Security professionals will have a lot more success if they understand why users do the things they do. Once there is that understanding, then cybersecurity will better be able to design systems that accommodate users.

  • About a third of your users confidently believe they're following the right cybersecurity procedures. That discrepancy is not the fault of the users, it's the fault of cybersecurity's education of users.

  • Security can always be more effective in offering up the right tools and the correct education.

  • Security awareness must begin with good service and process design.

  • Phishing tests are pointless to determine security effectiveness. That's because no matter how low your click rates go, someone can always create a more creative test that will send them soaring back up again.

  • If your defense in depth strategy is so poorly designed that your company can be compromised by the simple click of a phish, then you've got a poorly configured security stack.

  • Security professionals' jobs exist because of their users. If there was no organization and users, then there would be no need for security professionals.

  • Quoting Albert Einstein: "If you judge a fish by his ability to climb a tree, he will live his whole life thinking he is stupid.”

  • Look at user mistakes as an education moment, not an opportunity to put them down. If you educate them, they'll go onto educate others as well. Mistakes can actually be very beneficial.

Special thanks to this week's podcast sponsor, Hunters.

Hunters

Attackers always find new ways to bypass organizational defenses. While their traces hide in the data, they’re also extremely difficult to detect. Hunters.AI is a context-fueled XDR solution that harnesses top-tier threat hunting expertise and ML to autonomously detect, investigate and correlate attack findings across cloud, network, and endpoint.

Cyber Security Headlines

Cyber Security Headlines - September 16, 2020

This week's sponsor of

Cyber Security Headlines

is Dtex Systems

Dtex Systems

TOMORROW! Friday [9-18-20] We're Hacking Biometrics

Please join us on Friday, September 18th, 2020 at 10 AM PT/1 PM ET for “Hacking Biometrics: An hour of critical thinking about using ourselves as a means to enhance the identity journey and our security posture”.

Joining me in this discussion will be Jason Cramer, head of engineering, Daon and Sridhar Kotamraju, head of product strategy - digital identity, fraud/payments, PNC.

Plus, immediately after the video chat (11:00 AM PT/2:00 PM ET) we'll rollover to the CISO Series Friday Meetup. Each participant will be randomly matched up in impromptu 1-on-1 five-minute conversations with fellow cybersecurity professionals. Link to do that will be made available during the video chat.

Thanks to our sponsor Daon.

Best Moments from "Hacking the Human"

Best Moments from "Hacking the Human" - CISO Series Video Chat

Here are seven minutes of the best moments from last week's CISO Series Video Chat: “Hacking the Human: An hour of critical thinking on the additional benefits of securing people”.

Joining me in this discussion was Robert O’Brien, CEO, Metacompliance and Shawn Bowen, CISO, Restaurant Brands International.Check out the blog post to watch the video, read the "Best Bad Ideas" and the best quotes from the chat room, and to get access to the full one-hour recording.

Huge thanks to our sponsor, MetaCompliance

Subscribe to all our podcasts

Click any of the podcasts below to get access to the subscription feeds. If you're already a subscriber, thank you!