Looking back over his 18 years in the cyber security industry Chris Pogue sees nothing to boast about. “Arguably we haven’t gotten any better at cyber security,” the CISO of Virginia-based consulting firm Nuix told the annual SecTor conference in Toronto on Wednesday. “We’ve actually gotten worse.’
“Why do we suck at this? Why are we still fighting the same battles? Why haven’t we made any progress?”
The reason isn’t technology, he said, it’s people.
Infosec pros have to do a better job at doing the basics of security – including patching and properly configuring devices – and better train employees to be more security-aware, he said.
According to one study 47 per cent of breaches can be attributed to malicious activity from attackers, 25 per cent to human error, and the rest – 21 per cent – to “system glitches.”
“I don’t really believe that,” Pogue said, “because I’ve worked probably 2,000 breach investigations in 18 years and I have never worked a single breach that was the cause of a system glitch – an unknown failure of a computer system to an attacker. Not one.”
“It’s not the technology – we have been doing this for 18 years and we have adequate technology to prevent data breaches, and yet we keep having them at alarming rates.” However, people always need a scapegoat, he suggested. When something good happens we take credit. When something bad happens we blame someone or something else.
“Computers don’t commit crimes. They don’t routinely break into systems and steal credit card information. There is always a person on the other side doing something.”
He went into a long discourse about the human brain to explain this, and how other industries looking at safety issues have come to a similar conclusion – human factors play a huge role in problems. “We’re not the first industry to have these problem,” he said, but “we’re taking longer than those to solve it.”
In fact, he believes only two per cent of network breaches were unavoidable. “I’ve never seen any computer or so difficult they couldn’t have been prevented.
“Attackers are shooting fish in a barrel most of the time. It’s things like poor patching, flat networks, poor IT hygiene. It’s basic stuff we continue to get wrong. And we can’t do it any more.”
Organizations buy technology “and we’re still left with the same mess because none of us have approached the right problem in the right way. We’re trying to solve a problem that includes the messiness of people with technology. And you can’t do it. Wrong problem, wrong solution.”
Building a secure mindset in an organization takes time, he said, but managers want to buy security equipment.
Organizations have to admit the cyber security problem isn’t technology, he said. Then they have to create a plan to solve it with employees. It will need support from the C-suite, Pogue added, including understanding there is an ROI for security.
It also means understanding that governance regimes are only part of the solution, and that security is a journey, not a destination.
The key to success, he added, is marrying human intelligence and technology.
But most important is to create a culture of security-minded employees, he said, so they become deeply involved. “Hook them emotionally and they will do anything.”
Earlier this year at another security conference an IT security executive at a Canadian bank said awareness training for some is futile. But in an interview Pogue disagreed.
”I think that is absolutely false. I’m also a professor of cyber security at Southern Utah University and I’ve seen first hand in training law enforcement, college students, my own staff that you can change them from your weakest link into your greatest asset just by getting them invested.
“I think cyber security training as it exists today needs an overhaul, because a lot of it’s boring, especially for non-technical people. It needs to be entertaining, it needs to be interesting, it needs to be able to communicate technical concepts in a way the target audience can understand. And I think once you can hit that sweet spot then you’ve got something”
How do you be entertaining with awareness training? “By being entertaining … people love stories, people watch movies, love books for a reason, so make a story out of it …There are ways to do it. You have to be creative.”