I’m at the RSA security conference this week. It’s just day two of the conference as I write this, but already I’ve begun to see a trend in the conversations I’ve been having with analysts and security professionals, both in casual moments and in formal interviews. Whereas I thought I’d be hearing all about the Internet of Things (and I still might – the conference is just getting started), instead, folks are talking about people. As one person said to me during a party overlooking the Bay Bridge, technology can only do so much to protect your networks; security is really a people problem.
I had a chance to sit down with Jim Hansen and Denny Lecompte from Alien Vault at their booth. We talked about cloud security, which I will touch on in greater length at a future time, but as our conversation evolved, Lecompte made it clear that no matter where you focus your security efforts, there is one issue that is difficult to address, stating:
No matter what you do, you can’t fix people.
Hansen backed that up, adding that even the most security savvy people – i.e., the security professionals – have moments of weakness, where the guard is let down because someone has worked too many long hours and wasn’t paying close attention or maybe they got too complacent, and they do something that results in a serious security breakdown.
This idea isn’t new, of course. More organizations are recognizing the need to deploy behavior analytics as a cybersecurity tool, as CSO reported:
User behavior analytic tools are different in that they shift the focus from sending alerts of potential threats from outside the network to identifying more concentrated and individualized insider threats based on user behavior.
But what I’m hearing seems to go beyond utilizing behavior analytics tools and toward creating an entire mind shift on how we think about cybersecurity and the players on both sides – the bad actors and the victims. It isn’t just about how to get someone to fall for a social engineering scheme, for instance. It is understanding what the cybercriminal wants to accomplish after hacking a network. Is it a data dump for financial gain? For blackmail purposes? To cause physical harm, as IoT devices become more attached to human life functions?
In a conversation with Robby Mook, Hillary Clinton’s former campaign manager, he talked about how he witnessed this shift in cybercriminal behavior. In his case, the data breach was to manipulate public opinion. At the same time, he added, there was hesitation to consider the data breach of the Democratic National Committee networks as a “real” crime because we still don’t see it that way.
One thing is clear to me so far during RSA. We need to think of cybersecurity in human terms, not just in data or technology.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba