At the start of this year, Tessian started a podcast. Why? Because since we launched the Human Layer Security category in 2013, the human factor has become one of the biggest considerations in cybersecurity today.
Every day, we are speaking to CISOs, CIOs, business leaders and security professionals about how to secure the human layer.
And I’m not just talking about conversations related to how to stop the ever-rising number of phishing attacks. We’re talking about insider threats and security incidents caused by simple human error, too. We’re discussing ways in which CISOs can better understand their employees’ behaviors and ways of working, in order to build security strategies that protect them and empower them to do great work. And we’re talking about how to get buy-in from boards.
Rather than keeping the conversations to ourselves, we wanted the podcast to provide a platform for inspiring IT leaders, thought-provoking academics, and ethical hackers to discuss why it’s so important for businesses to protect their people – not just machines and data – and share their learnings so that how other security teams can do it too.
“The human factor is everything. I mean, we are always the ones making the decision around what we think is best and understanding what a certain vulnerability means.”
It’s been a lot of fun and I’ve spoken to some incredible people. So here are my highlights and my top learnings as we close out Season 1 of the RE:Human Layer Security podcast:
1. CISOs are doing an amazing job in their relentless roles. As Simon Hodgkinson, former CISO at bp said, the job of the CISO is truly 24/7. And it’s becoming “more and more challenging as the threats become more advanced and regulatory landscapes become even more complicated”.
Hearing the work that CISOs like Jerry Perullo at ICE, Ray Espinoza at Cobalt, Tim Fitzgerald at ARM and Anne Benigsen at Bankers’ Bank of West are doing to not only navigate these landscapes and keep their companies safe, but also to help make their people into security champions and make security as seamless as possible is really inspiring.
2. … and they want to do more. It was clear from the leaders I spoke that they have a “duty of care to continue raising awareness” and “invest in making sure people are able to do the right thing.” Some believe, however, there are more engaging ways to do it, while others think there is more work to be done to get employees to buy-in to the security cultures. It was great to understand how they plan to do this.
“Why do businesses continually use fear - a short term emotion - to try and engender long-term behavioral change in cybersecurity?”
3. Security can learn so much from psychology. In one of my favourite episodes, academics Dr Karen Renaud and Dr Marc Dupuis question why businesses continually use fear – a short term emotion – to try and engender long-term behavioral change in cybersecurity. They also explain why the role of employee self-efficacy is so important to encourage safer security practices. Their insight into what factors make people more or less likely to adopt safe cybersecurity behaviors makes me question whether FUD in security has had its day?
4. If you don’t get to know your people well, the bad guys certainly will. Ethical hackers and social engineering experts like Craig Hays and Jenny Radcliffe explained how cybercriminals select their targets and methods of attack, emphasizing the need for companies – at manager level – to know their people really well. As Jenny said, “the answer to becoming a more secure organization […] is to know your humans better than the bad guys.”
“Humans are in security on all levels - from the top to the bottom. They are what can make or break policies, procedures, machines. It's why I 100% believe you have to invest to ensure that people can be protected when it comes to cybersecurity these days.”
5. Employees aren’t the weakest link. The age-old saying that people are the weakest link in security is something our guests don’t believe in. To Dan Raywood, people are neither the strongest or weakest link, but rather “an essential part of your business”. Tim Fitzgerald agreed, stating that, as security leaders, “we try to take a look in the mirror and say, are we providing these people with the tools they need to help them avoid these types of threats or scenarios?”
It’s been a privilege to speak with all of our guests on the RE:Human Security Layer podcast and, if you haven’t already, I encourage you to listen to their interviews and subscribe to the show.
We’re now planning Season 2 so stay tuned for that – and if you’d like to get involved or hear more about what we’re doing, please contact me on LinkedIn or Twitter.