As I shared in a LinkedIn post, I was recently talking to a group of CISOs, security architects, and security directors, about employee training, privilege, awareness, and incident response. As we talked, two notions occurred to me, which I’m going to expand upon in this blog:
- In times of emergency, such as a blizzard or a security event, we really need employees to be able to look beyond their emotion and report any incident that could cause harm to employees or to the company. They should also know where to access the current status of any alerts.
- We need a system of controls that alerts everybody, and directly - individual people, when something is wrong with their environment, or with their credentials.
Real Lessons for the Security World
In the security world, when an employee realizes that they’ve clicked on something that they shouldn’t, the gut reaction is often to feel embarrassment, as well as fear of punishment. I believe this response stems from security awareness communications/training that primarily focuses on admonishing people (and testing them) on what they should not do, while neglecting to reinforce what they should do.
In the real world, a witness to an incident that involves an injury can call 911 without fear of reprisal. How do we move security awareness to a world where there is no shame and no fear of reprisal, even if it’s as minimal as being chastised for wasting the helpdesk‘s time with “stupid tickets“?
Early on, most of us learn from our parents and our teachers to immediately call 911 (or another number) in the event of an emergency. Yes, we are educated on what constitutes an emergency, but in the real world, emergencies comprise this broad swath of things that almost require no judgment—only emergency response. I don’t believe information security has taken this approach, and I feel we need to change that through a psychological shift.
Changing the Psychology of Security Awareness and Response
How do we go about changing the security response psychology of embarrassment and fear, to one of proactive, purpose-driven action? We need to start by providing people with feedback on the right ways to act in times of crisis, removing judgment, so that we can move beyond the situation where people are held back from reacting by their embarrassment. Initially, organizations might need to overcorrect, meaning they encourage employees to be hyper-aware, even if it translates into an increase in calls into security operations or a helpdesk. However, over time, we can expect that this trained awareness pays off by fostering better security and trust.
The speed of response to cybersecurity incidents today is critical. Such an environment demands for people to err more on the side of concern about security rather than nonchalance or embarrassment. Let’s reward people who report incidents, and reward those who quickly realize the wrong thing happened.
We Need the Right Cybersecurity Tools to Drive Better Awareness
Psychological shift is great, but, now I consider how a company like BeyondTrust, can help. We focus on privileged access management. Is there anything that a vendor like us can do to help in this quest?
If your house is broken into, you probably notice right away because your environment has conspicuous signs indicating that your access point (door/window) has been breached. In the IT world, when we talk about person and privilege, often the end users are unaware that their environment has been breached, or that their account has been misused, because there are no obvious signs. Can we build an IT environment where it becomes just as obvious to the end-user that their key (password/credential) has been stolen, just as if their house had been burgled?
How can we accomplish this in the security world? I think it requires a two-pronged approach, by automating our detection tools and by pushing alerts directly to users. We want users to get enough information so they CAN see something.
Security tools must help us notify users when something is amiss. Banks do this today, such as by informing us when we are accessing banking resources from a location we’ve never been before, or by sending us a verification SMS code. I believe we should apply this model for information security, such as by notifying users when their accounts have been used in ways that fall outside the parameters of their routine usage. Our privilege management systems should track where credentials are used and call out anomalies, both to the security desk and to the end-user, while also requesting that the user verifies that he or she did in fact execute the suspect operation.
If a bank suspects fraudulent actions are underway, it does not allow a user to login and continue to commit fraud—it suspends activity until the user can confirm the transactions are legitimate and authorized. Why should your organization allow a privileged user to continue to access the environment if the user account in question has been used in an unexpected, or unorthodox, way? By leveraging BeyondTrust solutions, as well as our vast partner network, organizations can identify high-risk usage of a privileged account and suspend it. Automated triggers can turn off that account, stop it from being able to check out passwords, and quickly notify your operations desk when something is wrong.
By applying information from threat analytics tools, such as those found in several BeyondTrust solutions can we provide our users with information that helps them quickly decide when things are going wrong? I think doing this helps us move users from the state of embarrassment to a state of being helpful, where they are proactive in contacting you when things look funny—especially around their access to sensitive systems and data. Maybe they even get an alert and call you to report it, similar to how a fraud alert on your credit card might work. Perhaps they get an SMS that they need to reply “YES” or “NO” to validate that their privileged activity is legitimate.
None of us want our users to be scared to report something or to be embarrassed should they accidentally do something wrong. Let’s work to eliminate embarrassment and improve our ability to avoid exploits, as well as to rapidly fix errors when they do happen. Because it’s better to be embarrassed than exploited!
Interested in learning more about our threat analytics capabilities? Contact us today.
Scott Carlson, Technical Fellow
As Technical Fellow, Scott Carlson brings internal technical leadership to BeyondTrust, strategic guidance to our customers, and evangelism to the broader IT security community. He also plays a key role in developing innovative relationships between BeyondTrust and its technical alliance partners. Scott has over 20 years of experience in the banking, education and payment sectors, where his focus areas have included information security, data centers, cloud, virtualization, and systems architecture. He is also a noted thought leader, speaker and contributor to RSA Conference, OpenStack Foundation, Information Week and other industry institutions.
Prior to joining BeyondTrust, Scott served as Director of Information Security Strategy & Integration with PayPal, where he created and executed security strategy for infrastructure across all PayPal properties, including worldwide data centers, office networks, and public cloud deployments. He led several cross-departmental teams to deliver information security strategy, technical architecture, and strategic solutions across enterprise IT environments. As a member of the office of the CISO, CTO and CIO, Scott spoke on behalf of the company at global conferences. In addition, he was responsible for infrastructure budget management, vendor management, and product selection, while also serving as the cloud security strategist for private OpenStack cloud and public cloud (AWS, GCP, Azure). Prior to PayPal, Scott held similar roles with Apollo Education Group and Charles Schwab.