Cybersecurity has become such a technology-driven industry that the human side of it may sometimes feel overlooked.
Dr. Jessica Barker, co-founder of Cygenta and recently awarded the ‘Cyber Citizen Of The Year 2022’ prize at the UK’s National Cyber Awards, shared with Infosecurity why Cybersecurity Awareness Month can be an excellent time to start flipping the script and considering people as the strongest link of security.
Infosecurity Magazine: In early October, you expressed your frustration on Twitter about how ‘snarky’ some cybersecurity professionals get about Cybersecurity Awareness Month. Where do you think their irritation comes from?
Jessica Barker: Every October, an element of our community will complain about awareness month. One reason is that maybe, within the security bubble, it can seem frustrating or irritating to feel like you're being banged over the head by Cybersecurity Awareness Month and that certain vendors are jumping on the bandwagon and using it to sell and putting out communications that maybe are a bit dated – and nobody is more frustrated by that than me.
But I also think there's another element to it where we, as an industry, don't value the human side as much as the technical side. Still, I think there's still an element where the human side of security focusing on awareness, behavior and culture just isn't held in the same regard.
When we focus on awareness raising, we need to consider the audience we're communicating with and what is relevant to them and what will help them in their day-to-day lives, both at work and home. We also really need to focus on the why. Why security is essential and why we recommend specific controls. Rather than telling people what to do or what not to do, it's much more helpful to frame it from the context of why we're making those recommendations.
Also, we need to get better at listening to people, asking them questions, understanding what they care about or are concerned about in security, and listening to their frustrations. If they aren't practicing certain behaviors, we need to understand why not and look at how we can address that tension.
IM: And maybe stop repeating that ‘people are the weakest link’? I saw that you were strongly advocating against using this phrase…
JB: It's really the worst phrase in security. For the last 10 years, I've been trying to champion a more people-centric approach to security, which means being more compassionate. A phrase like ‘people are the weakest link’ or, even worse, ‘users are the weakest link’ is so lacking in empathy. It's pointing the finger at people, victim-blaming them. When we call someone a user, we're separating us from them, and there's almost a sort of element where we're positioning ourselves in security as superior. But of course, we all use technology, and we can all be vulnerable to security issues.
It is very superficial as well. Without people, there is no information, technology, or cybersecurity. People are the only link because machines are not attacking machines by themselves, so it just doesn't make sense to me.
Also, it's putting far too much burden on people. We don't design security technology and systems with people at the heart of it, and then we blame people when they cannot fully engage in certain practices. The right phish can catch any of us at the right time, not because we are stupid, but because we're human.
It also overlooks the many times that people are the strongest link. The 99 times somebody doesn't click on a link in a phishing email and instead reports it.
IM: How do you think Cybersecurity Awareness Month can help flip the script?
JB: Of course, no one month, no one activity can create lasting change in cybersecurity. But what we can do with awareness raising and Cybersecurity Awareness Month is galvanized people. We can get their attention. Get them talking to their colleagues, friends and family about a cool phishing demo they saw or any other kind of activity that made them think about security from a different perspective, and you’ve won.
Awareness raising is not a case of ticking boxes, but it should be seen as one layer of defense. And Cybersecurity Awareness Month must be seen as one moment to do that, but not the only one.
It must be part of cyber awareness-raising campaigns throughout the year. Then, around December, when many people buy gifts for the festive period, you could be running online campaigns about shopping securely online or Internet of Things (IoT) security. Similarly, in the summertime, you could run campaigns that help parents in your workforce talk to their kids over the summer holidays, in terms of safe gaming, for example.
More generally, I think the right approach is looking at specific risks in your organization and planning targeted training for different groups, understanding what kind of behaviors people are practicing and building metrics that really show them what activities will work for them and how they can engage.
IM: A recent study showed that 91% of cybersecurity professionals had faced mental health challenges in the last two years. Does such a high number surprise you?
JB: It's very high, but it is not surprising. We work in a challenging profession that has gotten even more so over the last couple of years. We know that rates of burnout are very high in this industry. It's common for people to struggle with imposter syndrome, and it's common for people to be overworked and sometimes feel isolated.
It's something we need to tackle. That’s why talking about the human side of security isn't just looking at how we can raise awareness, influence behaviors, and build a positive culture in terms of security with our colleagues in organizations and with the public; it's also about looking at what is demanded of us, security professionals and how can we build in more understanding and support when it comes to mental health.
I’m on the board of ClubCISO, and a couple of years ago, we became aware of increasing mental health issues in the industry and have been tackling them ever since.
We've been running mental health workshops over the last couple of years and received great feedback from our 600 members. There is an appetite among the security community to understand more and to access and provide more support regarding mental health.
IM: You asked your audience on social media what they would do differently if they started their cybersecurity career from scratch and what they wish they had been more aware of. What about you?
I started in cybersecurity 11 years ago and would never have picked it as a career. I was approached about a cybersecurity job coming from a different field, so I had a steep learning curve, which I loved.
At the start, I wish I had realized it was okay not to know everything and to ask questions.
Cybersecurity is such a broad industry, and many specialisms can lead to imposter syndrome.
We need to recognize that we can't know everything in this industry and that we all have our areas of expertise, whatever field you're coming from, whether you're coming from a technical field or, like me, a more human-centric field.