The Human Element
Bill Bonney, Cybersecurity Evangelist and Author, joins the podcast to talk about the human element in cybersecurity. He argues that without understanding human motivations and loyalties, security leaders cannot secure their organizations. Education and awareness are key here. If employees feel secure in their personal life, they will have the energy to devote to the organization.
He uses banking and credit cards as an example of how companies have indemnified the individual and allowed us to give up responsibility for risk. The fact remains we are all responsible.
There are many things enterprises can avoid, but it seems a security breach is not one of them. Bill believes CISOs are no longer just responsible for securing the enterprise and its products; they are also responsible for ensuring recovery from that inevitable breach. The era of celebrity breaches has seen boards throw dollars at the problem, but the CISOs Bill has been talking to don’t want more tools, they want their teams educated on the tools they already have.
As always, education is essential: education in the form of consumer awareness, education of employer and employees, and education of security practitioners so they can mitigate risk to the organization.
- 02:00 — Humans and their motivations are the hindrance to companies reducing risk.
- 04:28 — Banking is a great example of the transfer of risk responsibility from the individual to the institution.
- 06:48 — Teaching people secure habits for their personal life means they will be more secure at work.
- 10:39 — People are the largest dynamic in the people-process-technology triad for how to secure any enterprise.
- 12:03 — There is a growing trend towards understanding the motivation of the individual.
- 14:28 — The CISO role is not just understanding how to protect the enterprise and its products, but also knowing how to recover from the inevitable breach.
- 16:17 — Metrics and behavior: it’s all about the human element.
- 18:26 — Companies need to persuade consumers that they can be trusted with our data. To do that they must be transparent.