This is a joint blog between Masha Sedova of Elevate Security and Lance Spitzner
of SANS Institute. We created this blog together as we see time and
time again organizations are taking a tactical approach to managing
their human risk, limiting their ability to manage it. Organizations
need to take a far more strategic approach, especially as the human
element continues to be the primary driver for incidents / breaches
today.
In just about every security breach we read about nowadays to the latest security reports such as the Verizon DBIR, human risk continually comes to the top of everyone’s list. By human risk we mean from people being actively targeted by cyber attackers to simple human errors or mistakes, like autocomplete in email. With the human element playing such a large role in risk today, you would think organizations would have a role dedicated to managing it. However, that is not the case.
Most organizations still take a primarily technical view to cyber risk and continue to take an exclusively defensive approach by throwing technology at the problem. While technical security controls are where every organization should start, after several decades we are hitting the point of diminishing returns. It could be said that we are getting so good at using technology to secure technology that we are driving cyber attackers to target the human. To address this many organizations will appoint a security awareness manager to address the human side of risk. While this is a fantastic place to start, the challenge with this is several-fold.
- Far too many organizations approach security awareness as a part time job, with the vast majority of people in this role spending 50% or less of their time on it.
- Most awareness officers come from highly technical backgrounds. While such individuals understand technology and the problems, they often lack the skills and training to effectively engage and communicate the solution to their workforce.
- Far too many organizations treat security awareness as purely a compliance effort to check the box.
- Far too many organizations do not place the security awareness program under the security or risk management team, to provide the support and partnerships needed by the security awareness officer for success. Common mistakes include positioning security awareness under legal, audit or compliance.
Well-funded and properly resourced security awareness programs are a great place for organizations to start addressing the human risk. However, based on the trends we have seen over the past years, is it enough? Most security awareness professionals are not senior enough to have a strategic impact and many CISOs do not view the security awareness manager as a strategic partner in line with other cyber roles reporting to them. How many CISO’s do you know who started in the security awareness field?
Perhaps it’s time to take a strategic approach to human risk and create the Human Risk Officer (HRO). This core benefit of elevating this responsibility is to have a key person accountable for the visibility, reduction, and prevention of user-generated incidents. Instead of simply reacting to incidents as they happen, this role would seek to understand the root causes and work to establish the technology, policies, culture and behavior change to prevent them from happening again.
The HRO would work in close partnership with technically focused areas of security to drive the high-level changes needed to support managing human risk, from building a stronger security culture to simplifying policies, strengthening partnerships and improving communication. This is particularly valuable because let’s be honest-finding a deeply technical security expert who also has a high EQ and is skilled at engaging and partnering with others can be harder than finding a flying unicorn.
Simply put, the HRO would own the holistic efforts of helping our workforce make better security decisions daily from frontline employees to executives helping the human-element of our organizations adapt and respond to security threats.
Ultimately, most organizations agree that the human is one of their greatest risks, from being people actively targeted to simple human error. However, simply throwing more technology at the problem is no longer the solution, we have to truly develop an offensive and more strategic solution to address the human element, and that may need to start with the Human Risk Officer.