When my son was in the midst of his college search, we sat in on presentations about different majors. He knew that he wanted to major in something to do with computers and technology, but he wasn’t sure of the direction in which he wanted to go.
The presentation we attended was for a major that focused on IT security—back when it was still a relatively unheard of major. The professor leading the presentation asked the kids in the room about their computer skills: Who built websites? Who took different programming classes? Who built computers from scratch? My son was one of the only kids in the room to raise his hand, and the other kids in the room looked nervous that they did not have these skills. The professor said, “That’s great, but it isn’t important in this major.”
He went on to say that this new IT security major would teach computer skills, but it would also require students to study history, psychology, sociology—the social science skills that you don’t usually associate with a computer-related major. But the professor pointed out that security is about understanding people and behavior first, and then understanding how to protect the network against that behavior.
Today I was reminded of that presentation when I came across a blog post by Jessica Barker on the E-consultancy site. Barker pointed out that cybersecurity is more about people and less about technology than most of us realize. In her piece, Barker says:
In cyber security we often say ‘there is no such thing as a malicious machine.’ Trace a cyber attack or information breach back to its source and you won’t find code, you’ll find a person.
In fact, most information breaches are the result of human error and a lack of awareness, and the ‘human problem’ appears to be increasing.
She’s absolutely right. How many surveys do you read that say the biggest risk to the network and lost data is employee error or malicious insiders?
However, cybersecurity has changed over the years. It is no longer just protecting the network from malware. It now involves understanding who is a threat to the network and data and how they are a threat. It can be as simple as writing a security policy for BYOD based on the employees who use it, as complicated as anticipating who may want to infiltrate the network to steal your intellectual property, or as complex as recognizing if your company might be targeted in a specific attack.
Technology is always going to be the integral component of IT security. It has to be. Someone has to understand the network and computers work so they can be protected—it is the reason IT departments become the de facto data security staff. But as attacks become more sophisticated, is the technical know-how enough?
A recent survey from EY found that at least half of all companies don’t think they have enough skilled resources to protect the information on their systems. That includes the IT staff. But at least some of those skilled resources should be people who understand human behavior, because like it or not, people are the network’s greatest enemy.