Security Awareness. PHOTO: Cybercrime Magazine.

New Book: Security Awareness For Dummies

Smart CISOs put employees in their place

David Braue

Melbourne, Australia – Apr. 15, 2022

Although most security practitioners would agree that users aren’t perfect when it comes to security, not all agree what to do about it.

In one corner is the belief that increasing the frequency of security awareness training is crucial to curbing users’ exposure to phishing and other malicious campaigns. If the company is then breached, it’s the user’s fault.

In the other corner are people like Ira Winkler — who, as chief security architect of retail behemoth Walmart, knows all too well that expecting perfection from 2.3 million employees, all the time, isn’t realistic.

“There’s a lot of talk about making the user your last line of defense,” he told Cybercrime Magazine, “but the fact of the matter is that the user is not your last line of defense in any way, shape, or form.”

“If that really is your posture, you have failed in your security program. If your goal is to say that ‘my users will always be perfect and stop all attacks,’ that’s just a fallacy. It’s going to get you in trouble, and make you the laughingstock of the security program.”

Cybercrime Radio: Perfect security is not reality

Focusing on the basics

Make users the first line of defense, not the last

That’s not to discount the importance of regular security awareness training — which, as he discusses in his upcoming book, “Security Awareness for Dummies,” is important but is only the beginning of the endpoint security strategy.

“Empowerment is not just making users more aware” of security threats, he explained, but “part of the overall creation of an environment that protects your users.”

“If your filters filter out phishing messages, your user is never in the position to have to decide whether or not a message is a phishing message or not.”

Controlling the risk exposure of the operating environment must be a key focus for security strategists who, Winkler said, also need to make sure that environment won’t be obliterated once a user makes the inevitable mistake of clicking on malware.

“It’s not the user encrypting every bit on your hard drive,” he explained. “The user is downloading a file and then, if the file activates, that’s because the user first had permission to download the file.”

“If the user doesn’t have permission to download and install software, they can’t download and install malware.”

As well as tightening security permissions, complete security environments must include behavioral protections that can, for example, detect and query why a user is logging in from Cyprus instead of their normal workplace in Seattle.

Security isn’t only by the numbers

Today’s security monitoring platforms are extensively instrumented to give security managers a close view of what’s going on across the network, in particular how users are doing when it comes to performance on security training exercises.

Yet many companies are putting too much stock in those metrics, Winkler warned, by often collecting the wrong metrics, and trying to tie them in with other organizational KPIs — often delivering an incomplete view of their actual security exposure.

“Large organizations have data scientists and a variety of other people who are there to look at process improvements,” he explained, “and these people can go ahead and collect the metrics because they’re looking for signs of success.”

Those metrics might lend themselves to correlating security awareness training investments with measurable improvements — such as a reduction in the need for helpdesk expenditure for password changes — but Winkler warns against putting too much stock in metrics in companies that lack the expertise to use them properly.

“Everybody likes to measure but most organizations, frankly, don’t have the appropriate people with the appropriate data skills to use metrics meaningfully,” he said.

“The goal of an awareness professional is to reduce risk by improving the security behaviors of your users. Better security behaviors will result in fewer incidents and lower the risk — but please don’t make metrics your only sign of success.”

Nudge, nudge, think, think

Effective security programs, Winkler said, will complement back-end protections and user awareness training with regular security “nudges” – reminders for people to take action, at a point where the action can be taken.

“Nudges are very useful because they are just-in-time awareness where awareness is needed to be,” Winkler said.

That means, for example, posting signs to remind people to log out of their computers at the end of the day, or putting stickers above desk phones to remind them not to give out certain types of information.

Over the long term, building security awareness is about much more than just user training — and here, he warned, cybersecurity specialists should take a page from well-documented understandings about human behavior.

“In cybersecurity, we act like we’re unique in having to deal with user error and user actions,” he said, “but we are far from being the only discipline that has to deal with human error: you have operational environments where users make mistakes on a regular basis, accounting, safety fields, and so on.”

The key, he argued, is to accept that users won’t be perfect, and build a supportive environment capable of buffering the organization from that imperfection.

“Security awareness is very important in reducing your risk,” he said, “however it is not an island unto itself; basically, it is a risk awareness tool.”

“Don’t let anybody promise you perfection… anybody who ever promises you perfect security is a fool, or a liar, or both.”

“Just go ahead and love the user, and try to remove the opportunity for them to initiate a loss by taking away potential attacks, or opportunities to cause harm, in advance. It’s the basics that we really need to focus on.”

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.