With digitalization taking away some of the local control of data and systems, cybersecurity is now everyone’s problem!
As organizations focus on adopting new technologies, standards and processes as a means of digitalization and resilience building, human factors can often be missed or taken for granted.
From the security guard to the CEO, any company can be prone to attacks due to the pervasive integration of technology across the organization. In many cases, breaches are caused by or linked to human error. Board members can no longer point their index fingers towards the IT team solely for any tech issues.
So, how should the human element be treated in scheme of things surrounding automation and cybersecurity policies?
In a chat with CybersecAsia, information security expert Nick Savvides, Director of Strategic Accounts (Asia Pacific), Forcepoint, shared his views.
CybersecAsia: What is your view on the ‘humans vs devices vs process” link in cybersecurity resilience?
Nick Savvides (NS): I think it is critical to consider all three aspects together. You can no longer decouple them and treat each aspect separately. This can be best thought of by abstracting away infrastructure and systems, and elevating cybersecurity to center around the data and users who work on that data.
This approach will allow organizations to apply controls, supervision, protections and importantly responses in a more holistic manner, tied together with the concept of Zero Trust.
CybersecAsia: Why is it important to include the human element in any cybersecurity strategy?
NS: Cybersecurity strategy used to focus on securing systems and networks within our control. With the rise of the Cloud, remote-working and rapid application development, we no longer control many of the systems, networks and even the devices that an organization deploys.
This means we have to rethink our approach, and if we place the users and data at the center of the strategy, we can abstract away some complexity, and have security that follows the user and the data where ever they exist.
This allows us to have a much more risk-aware and risk-adaptive cybersecurity program, because it aligns more closely with the business outcomes of cybersecurity.
Applying a user-first approach must also abstract away geographical, cultural and social considerations. Consider the diverse cultural backgrounds, languages and cultural nuances when conducting appropriate training to help all users to make the most of the tools they are given.
For organizations operating across borders, I think it is also important to run policy and regulation education across the region, so that all users are aware of not just their specific countries’ regulations but also those of other regions.
CybersecAsia: What is your view on AI-driven Zero Trust security for organizations?
NS: We do love buzzwords in cybersecurity, and Zero Trust has been one hottest for a while now, mainly I think because its concepts have always been part of what we have wanted in cybersecurity but the technology to make it happen was not possible until now.
One of the elusive key concepts that is now enabled by AI, is that in a Zero Trust world we can observe more actions, more interactions, more data and more events than ever before, and from there, understand if a user or system presents a risk to us.
This is a very big area for us at Forcepoint, because we have been applying these principles in our solutions for a long time, and applying them to new systems to adaptively respond to and even preempt threats.
CybersecAsia: Today security threats can come from C-suite personnel or even a security guard having limited access to technology.
NS: Yes, and every organization now faces significant cybersecurity threats in all aspects of their operations.
This means organizations and CISOs need to make cybersecurity everyone’s responsibility, and make it clear that cybersecurity is not a technology or an IT problem: it is in fact a business problem that everyone must deal with.
Much like workplace health and safety is everyone’s problem, so should be cybersecurity. This means all users should be empowered and educated on cybersecurity, and armed with technologies and processes that help them defeat threats.
CybersecAsia: How does the Asia-Pacific region fare in holistic cybersecurity?
NS: APAC is a very diverse region, and we see significant differences even within countries. Two factors drive change in technology and working practices, and in turn, cybersecurity: cloud adoption and widespread broadband access.
For APAC, I would also say that there is definitely a region-wide push for regulation maturity, driven by countries like India, Australia, Singapore and Japan who are strengthening their privacy and cyber-security regulations.
CybersecAsia: High-end cybersecurity solutions are almost unaffordable for small firms. How can they address this challenge?
NS: While the threat landscape becomes even more hostile, cybersecurity costs have become unsustainable even for large organizations. This is why I think the user-centric and data-first approach— especially one delivered from the cloud—is central for the success of organizations in this battle.
Larger organizations can choose to deploy and use all of the advanced capabilities delivered from the cloud, while smaller organizations can benefit from the simplicity and cost effectiveness of cloud, riding on the advanced features pushed by larger organizations.
CybersecAsia: What are the key things a CISO should keep in mind while devising a cybersecurity policy?
NS: Ensure you think about cybersecurity as a business problem, set a strategy that recognizes you can no longer depend on controlling your systems, networks and devices; and finally take a risk-adaptive approach.
CybersecAsia thanks Nick for sharing his insights.