There are countless articles, conference speakers, panelists, and casual conversations among IT and security personnel lamenting that users are the weakest link in security. The claim is that no matter how well you secure your organization, it takes just one user to ruin everything. While there’s no doubt that a user can take down these “experts'” networks, the problem lies not with the user, but with the experts.
As I wrote in my previous column, user actions are expected and, most importantly, enabled by security staff. The problem with the expression “the users are the weakest link” is that it abdicates responsibility for stopping problems. Security professionals may believe that they did everything they could, but they’re really just giving up.
All a Part of the System
Here is what’s critical: Users are a part of the system. They are not accessories. They serve a business function that requires interaction with your organization’s computer systems. To determine that a part of the system — users — will always be insecure and there is nothing that you can do about it is a failure on your part.
Consider just about any other discipline within an organization. Accounting has processes in place to deal with the expected human actions involving financial mistakes and malfeasance. You do not hear CFOs declare that they can’t keep accurate financial records, because users are the weakest link. COOs don’t say their organizations can’t run effectively, because they have humans involved in operations. Any CFO or COO who made such a claim would be rightfully fired, because they are responsible for their processes, which have humans as a critical part of those processes and they must figure out how to effectively manage those people.
CISOs who cannot figure out how to effectively manage humans using systems they are responsible for protecting should be disciplined, if not fired, for proclaiming they are failing to deal with a critical aspect of their systems. Just as systems have to be designed to protect from the expected external hacking attacks, they must be designed to protect from expected user actions.
One critical aspect is that security professionals seem to believe that the solution to deal with human mistakes — and remember this doesn’t deal with intentional malicious actions — is awareness training. But the reality is that although awareness training can be valuable, it is not perfect. This reliance on an imperfect countermeasure is behind the negligence in proclaiming users the weakest link.
Security professionals must realize that while awareness reduces the risk, their job is not finished. First we must consider that most awareness programs are poor. From experience, observation, and research, most awareness programs are not achieving their desired goals in creating strong security behaviors. Even assuming they could, security professionals would still need to create comprehensive programs that implement the supporting processes and technical countermeasures. This would account for both the inevitable user error as well as the malicious actions.
However, instead of security professionals acknowledging that they have failed to account for expected user failings or malfeasance, they blame the user. That is unacceptable.
While one my previous columns described the need for a human security officer to address the users from a comprehensive perspective, in short, you need to have a process in place that looks at potential user failings regarding:
- What are critical processes or likely areas where users can create damage?
- Analyzing and improving the processes to remove user decision-making, or specifying how decisions should be made, if they cannot be removed.
- Implementing technology that prevents the opportunities for users to cause damage, as well as technology that mitigates damages if proactive measures don’t work.
- Developing awareness programs that focus on informing users how to make decisions and do their jobs according to the established processes.
Just as CFOs and COOs cannot simply state that the user is the weakest link to justify failures in the processes that they oversea, the CISO cannot blame users for failures in security processes. The user is an embedded component of organizational computer systems, and it is negligent not to put in a set of comprehensive countermeasures to prevent, detect, and mitigate the anticipated failings of that component.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.
Ira Winkler is president of Secure Mentem and author of Advanced Persistent Security. View Full Bio