The premise of our October #SecChat discussion was a concept that, without fail, rears its head in every Twitter chat we host. The idea is that no matter how sophisticated security technology becomes, users will always be the weakest link in an organization’s security program. Given this, we wanted to know what you, the security professionals in the field, thought about strategies to combat this weakest link. How can organizations optimize technology solutions and policy to best mitigate the risk of user-based threats?
The Technology Side of the Equation
We kicked off our conversation by asking what participants believed were the most common “technology weakest links.” @0xjudd suggested that poorly written apps are to blame, with @phoobar chiming in that, unfortunately, security apps are some of the worst offenders. @Calhoun_Pat added that all too often, app designers are unaware of the risk, or simply don’t understand that security is a problem.
Still, @andrewsmhay added what seemed to be a common belief among many participants – that it is irresponsible to even point to a particular technology as a “weakest link.” Any technology, no matter how sophisticated, is only as good as the people who implement it.
Security Policy: An Issue of Transparency
@natstalgia instigated a turning point in our discussion with a pivotal observation. In his experience, a significant number of people tend to blow off security policy simply because it is inconvenient. Knowing this, how can IT teams better align security with both business objectives and user needs? @SimonMoffatt brought up that a user’s aim is always their job – not IT – and security teams need to know and understand that dynamic in order to craft effective policy.
One idea suggested by @imaguid was to increase transparency. Transparency can help increase user buy-in by helping employees create a mental model of the real-life consequences of a breach. @chort0 agreed, noting that some of the most common problems caused by users are the result of employees oblivious to the consequences of their actions. @jtyrus chimed in that security teams need to start explaining the “why” behind policy, instead of expecting blind compliance.
On the technology side, DLP solutions were brought up by a few parties in our chat as a potential solution not only to take security out of the hands of users, but again, to increase transparency. @0xjudd and @mfeesa both noted that DLP can send users alerts when a violation occurs – helping them to understand the consequences of their actions and see the results of a compromise in near real-time.
As our conversation moved on to the challenges of email threats, transparency remained a key theme. @DaveBullsEye noted that in web protection, showing a blocked page and explaining why it is blocked goes a long way in helping an employee care about how their activity impacts the business as a whole. It’s about getting people to care not only about what they have to do, but why they need to do it. As @natstalgia put it, it’s about a change in culture – not just a change in policy.
As our chat came to a close, we asked our participants about their key takeaways from the chat. @calhoun_pat and @DaveBullsEye both pointed out that employee security education is key, but that it must be supplemented with relevant, real-live examples. @natstalgia and @SimonMoffatt also chimed in on the topic of education, noting that C-level buy-in is key in creating an effective program. @SecurityBuzz then reiterated the importance of establishing the business value of security policy, but also backing up policy with appropriate technology solutions.
Thanks again to everyone who participated in this month’s #SecChat. Stay tuned for details on our next topic here in the blog and on Twitter with @IntelSec_Biz.