Insights on Human Layer Security from Tim Fitzgerald, CISO of Arm

  • 23 January 2020
“I’m an optimist, so I genuinely believe that the average employee is trustworthy. I think if you give people the opportunity to make a good decision and make the easiest path to get their job done, the secure path, then they will take it. That is our job as security professionals.”
Tim Fitzgerald Chief Information Security Officer, Arm

In case you missed it, on January 22 Tim Sadler, Tessian’s CEO and co-founder, hosted our first webinar of the year which explored the biggest threat to an organization’s security: its employees.

To understand the risk of human error in the workplace and how Tessian’s Human Layer Security platform is able to mitigate that risk, Tim S. was joined by Tim Fitzgerald, the CISO of Arm for a live Q&A. Before joining Arm over two years ago, Tim F. served as the CSO of Symantec for over five years. He has a special interest in digital data and human security.

Arm is a customer of Tessian’s, and has deployed Tessian Defender,  Tessian Guardian, and Tessian Constructor. Consequently, Tim F. is not just attuned to the security risks associated with employees making mistakes, he understands how best to combat those risks.

While you can listen to the full webinar and Q&A on-demand here, below are some of the key takeaways from Tim Fitzgerald.

Where does risk really exist?

Tim Fitzgerald: “It is very ‘sexy’ in security to talk about big hacking groups and use that as justification to invest in security. And there’s a lot of legitimacy behind that. But the other side of the narrative – which we spend more time on now than nation-state type threats – is how do we not do it to ourselves? Because now we’re more often dealing with avoidable events caused by predictable human error.”

“I think, in general, not only should we be talking to our senior executives and boards more clearly about where real risk exists – which for most companies is the human layer – but we also need to be doing more to help these people combat the problem rather than just passing blame.”

To err is human, but people are (generally) well-intentioned

TF: “I very much chafe at the idea that we think of our employees as the weakest link. It underserves peoples’ intent and how they choose to operate. Rather than that, we try to take a look in the mirror and say ‘What are we not providing our employees to help them avoid these type of scenarios?’”

“At Arm, we take the ‘people-are-people’ view. Not that they’re the weakest link; not that they don’t come with good intent; or that they don’t want to be good at their job; or that they take shortcuts just to get that extra moment of productivity. But, actually, everyone wants to do a good job and our job is to arm them with both the knowledge and the tools to be able to keep themselves secure, rather than trying to secure around them.”

The role of a CISO is people-centric

TF: “I view my job in human security as somewhere between a sociology and a marketing experiment. We’re really trying to change peoples’ behaviors in a moment. Not universally, not their personal viewpoints. But will they make the right decision in this moment to do something that won’t create security risk for us? Evolving that strategy relies not just on how we influence behavior in that moment of time, but actually, can we change their ethos? Can we make responsible security decision-making part of everybody’s job?”

“Security is ultimately my responsibility. But, we very much rely on what we consider our extended security team, which is all of our employees. Our view is that they can undo all the good that we’ve done behind them to try to compensate for the risk that normal human beings create.”

Security solutions should empower employees

TF: “By far the biggest single challenge we have is Arm’s ethos around information sharing. We have a belief – that has proven to be true – that this level of information sharing has allowed Arm to be extraordinarily successful and innovative. There’s no backing up from that, and that represents a huge amount of challenge; that level of information sharing is quite difficult to manage.

“Rather than saying people are an intractable problem and therefore we can’t conquer this, if we start thinking about how we can mobilize them as a part of our overall cybersecurity defense mechanism, it causes you to rethink whether or not you’re serving your populous correctly.”

Machine learning enables Human Layer Security

TF: “What I liked about Tessian is that it gave us an opportunity to use the ML in the background to try and develop context about whether or not something that someone was doing was either atypical or perhaps just part of a bad process. Either way, we can get a sense of whether or not what they’re doing is causing us risk. It doesn’t require us to be completely prescriptive about what we’re looking for, but it allows us to learn with the technology – and with the people – what normal patterns of behavior look like and, therefore, intervene when it matters and not have to react every time an alarm goes off.

“You have all this amazing context of what people are doing on email, which is where people spend most of their time and where most of the risk comes for most organizations. How can we turn this into more than just making sure someone doesn’t fat finger an email address or send sensitive files where they’re not supposed to go? Can we take the context that we’re gaining through how people are using email and create more of those moments in time to connect with them?”

Tessian fits into a larger security framework

TF: “We have a whole bunch of other mechanisms to protect against traditional insider threats – the people who are really acting against our best interest – but that instance is infrequent and high impact. The person who makes the mistake is high frequency, medium-to high-impact. We were getting hammered on that sort of stuff, which is why we came to Tessian.”

“The original use case for bringing Tessian in was to stop people sending the right information to the wrong people, or the wrong information to the right people. We’ve had a tremendous success story in terms of reducing the number of events that happen in full, but we’ve also engaged with what we could consider our highest risk population of people: those folks who have demonstrated behavior that they will go around those controls. If nothing else, that is tremendously valuable to us.”
Tim Fitzgerald Chief Information Security Officer, Arm

“When used correctly and in a finite environment or a finite data set, DLP solutions are very effective at keeping that data where it’s supposed to be and understanding movement in that ecosystem. When you try to deploy that broadly though…you start to run into the inability of the DLP system to understand where that data is supposed to be. Is this person supposed to have it based on their role and their function? It’s not a smart technology like that. You end up trying to write these very complex rules that are hard to manage.”

The future of Human Layer Security

TF: “Can we start to mesh together what we know about the technology and the machines with real human behavior? It’ll not only help us find those bad guys in our environments who we know are there, but also to get out in front of people’s behavior rather than reacting to it after it happens. That’s the holy grail of what this could become. To get – if not predictive – at least start leading us toward where we think risk exists and allowing us an opportunity to intervene before things happen.”

Want to learn more about how Tessian helps Arm catch and stop accidental data loss with Tessian Guardian and prevent spear phishing attacks with Tessian Defender? Read the case study here.