In this corner, we have folks like Richard Howard. People who believe that when it comes to cybersecurity, we should look past our employees. We can’t expect the average end user to identify a phishing attempt or a suspicious URL, and we certainly shouldn’t blame them (or make fun of them) when they make a mistake (we agree on the not making fun part). Instead, enterprise dollars should be spent improving network security. It’s the security team’s job to protect the user, not the user’s job to protect the enterprise.
In the other corner, we have people like Dave Marcus. People who take offense to Richard’s thinking and who believe that if you don’t train the soldier, you can’t expect him to defend himself. It makes little sense to heavily invest (only) in securing the business when a single action by a single employee can compromise the whole. If the end user is our last line of defense, we need to arm them with the training they need to protect themselves and the business. Security isn’t just the security team’s job; it’s a consideration of everyone in the organization.
You’re familiar with the debate. It isn’t new. The arguments aren’t rocket science. Both sides sound logical, and they make sense, which is why the debate continues to rage on in security blogs.
But maybe it’s time for the debate to die. The real (and perhaps unpopular question) is why are there corners at all? Why, as an industry, haven’t we moved past the us vs. them mentality? When it’s hard enough to get organizational buy-in, do we really need to be fighting amongst each other for which comes first—the chicken or the egg?
Getting all hands engaged in the battle allows both systems—the network and the user—to play an important and meaningful role. The truth is we need stronger versions of both.
You must invest in technology.
Richard is right. You can’t rely on users to stop the bad guys trying to get into the network—and that shouldn’t be the crux of your threat prevention plan. Technology exists to help us fight this battle; it exists for a reason, and we need to invest in it and lean on it. We need the budgets to institute proper security controls, and to configure them to match our needs, continually monitoring software to make sure it’s doing what we want it to do. We are the security team, after all. It’s our job to do everything we can to stop threats before they reach an employee in our organization. We also need to have a system in place to mitigate the damage when employees do slip up, make a mistake, and let something nasty into the network. Because they will; it’s human.
The Must Dos outlined in this article from way back in 2012—like identifying and isolating your data, establishing a perimeter defense, segmenting your network, limiting access, and making someone responsible for evangelizing security organization-wide—they still apply today. They still matter but…
You must invest in employee security training.
You can’t stop at the level of technical protections, not even close. It’s easy to say that if we invest in good technology, and if we get smart about building a strong system, the rest will take care of itself. But that’s simply not the case. You can put all the armor you want on the vehicle but if an employee can’t drive it, they’re likely to hurt themselves or the people around them. We must continue to invest in security awareness training–and not just any training, but custom, comprehensive, and continual training. Yes, that reads like an incredibly biased response from a business that makes its bread and butter selling security awareness products but we do it for a reason. We do it because even with a strong first line of defense, you need an equally strong second line for when things slips through. And you know they will.
One of the biggest complaints against employee security training is that you can train someone today, only to have the same person become a victim of phishing less than 24 hours later. (And remember, the same can be said of technical protections.) What this signifies is the need for better training materials and stronger reinforcement. It’s not a sign that education doesn’t work. Just like you need the right software, you need the right training. Insisting that we let software and technology do its job while ignoring, or not giving proper attention to, the end user is a flawed response. End users play a meaningful role in enterprise security.
So what’s the answer?
Get the right software and other technical protections in place.
Build the right systems and the right response plan.
Train your employees.
Reinforce the training.
Update your software.
Reinforce your awareness training.
Repeat the cycle.
Security doesn’t end, and it will never be one or the other. It’s everything you have, working together, to keep your business safe.
Photo: Joe Frazier’s Boxing Gloves