Published April 3, 2017.
The Ethical Hacker: Technically Speaking, Cybersecurity Isn’t About Speaking Technically
These days cybersecurity seems to be all about technology. Pen testing, firewalls, port scanning, SIEM, zero-day, IPS, AES256, SHA, DMZ, NIDS, TLS, SS7 – I’ll stop. I could go on, but you get the idea. And I have a vested interest in keeping your attention.
Acronyms and geek-speak abound, and we are ever on the lookout for the next latest and greatest technical solution to secure our digital assets. Unfortunately, that perfect technical solution doesn’t exist and never will. How can I be so sure? Because no matter how well built, or how well thought out our technical solution may be, humans are involved. When humans are involved, they will be the weakest link, and we can’t (yet) re-engineer humans with a technical solution.
How do most attacks happen? Despite what movies and TV would have you believe, it’s not legions of hackers actively pounding down our cyber doors. Most successful attacks happen because a person did something: they made a mistake, clicked a link, visited a suspicious website or plugged in an infected USB device. They were naïve or unaware of the damage that could arise from their actions and let their guard down. Which brings us to the theme of this column. Cybersecurity isn’t about speaking technically; it’s about communication.
We, as representatives of our organizations, must have a vested interest in security, and we should be communicating with our co-workers and peers about it. The clarity and simplicity of those communications are vital to our maintaining a secure environment; acronyms and technical jargon only serve to confuse and alienate the very audience we are trying to reach.
And about that audience? Earlier I said we can’t re-engineer humans, which is true, but, in a sense, we can re-program them. How? I know re-programming people sounds nefarious, especially in a conversation about cyber, but the answer is to educate them. We educate them by clearly and consistently communicating the risks involved in working with company data in an unsecure fashion. We explain what our expectations are, and how their actions can contribute to or detract from our efforts to control those risks. It’s vital to use language that isn’t technical, that doesn’t alienate or confuse and that clearly outlines how they can improve security.
The security of our organizations rests with our employees. Employees can range from weak links to stalwart defenders, and it’s up to us to help them move toward the “defender” role. Without proper communication, most employees won’t know the critical part they play or how to change their behavior to be alert for suspicious activity – or what to do when they observe it. If our cybersecurity conversations always revolve around acronyms and technical jargon, our business associates and nontechnical employees will believe that security is the domain of security professionals, assume the risk is being handled by those in charge and proceed with a lack of awareness as to how they themselves may be undermining that presumed security.
Case in point, Target. Target had spent hundreds of millions of dollars on technical security, yet was undermined by employees and contractors who didn’t clearly understand the role they played in keeping the organization secure. Many of the cases that I have worked on over the past several years have come down to employees making mistakes, doing so with honest intentions, yet ending up subverting the security of the entire organization.
On the other side, we also need to consider post-incident response, when communications become even more critical. To paraphrase Helmuth von Moltke, no plan survives first contact. Once incident response has been engaged, communications within the organization – including security response teams, legal counsel and senior management – become critical to properly containing and responding to the event. Communications external to the organization – such as clients, contractors and the media – quickly become the public face of the event. Making sure these are clear, accurate and accessible to the appropriate audience can be the difference between a controlled event and chaos.
But that’s a column for another day. For today, let’s take a minute to reaffirm the importance of open and clear communications within our organizations about security and the roles we all play, as our best defense must always include education and awareness. As inside counsel, you can help by playing the role of universal translator between the technical security team and the nontechnical business units and management. Naturally speaking, all you have to do is speak naturally.