Perhaps It’s Time We Stop Blaming the Users

You can’t fix stupid

For years, I’ve been hearing security people say that about uninformed users who fall victims to cyberattacks. I gotta admit, I was guilty too of saying that on a few occasions.

One report shows 91 percent of cyber-attacks began with phishing or spear-phishing emails. Another study finds almost two thirds of data loss were results of human errors such as loss or theft of device or as naïve as emailing data files to the wrong recipient. And there will soon be 4 billion of us shiny targets waiting to be preyed online, according to Microsoft.

People are always going to be the weakest link. The longer I’m in the cybersecurity industry, the more often I see that. Most attacks start with them; therefore, it must be their fault. Let’s keep locking them down and beating them up, there’s not much else we can do.

Maybe we are wrong

On a recent flight home from Indianapolis (a trip to LifeOmic headquarters), I finished reading When Breath Becomes Air, a remarkable memoir by Dr. Paul Kalanithi. It is heartbreakingly sad yet breathtakingly beautiful. Read it – it’ll be an unforgettable experience, I promise. I hope to tell you more about the book, but that’s for another time. Right now, I want to highlight just one part that triggered me to write this article.

During Paul’s path from being a resident neurosurgeon to embarking on the study of neuroscience, his friend and fellow professor, V, was diagnosed of pancreatic cancer. Upon V’s recovery, Paul wrote,

“How little do doctors understand the hells through which we put patients.”

I always thought of security professionals as the doctors of cyberspace. I couldn’t help but reflect, perhaps the image in front of our users was not that of a doctor or savior, but more of an annoying cop, a monkey on their back, a PITA, or worse, a devil wearing a white hat.

I don’t mean that ignorant users have a right to be careless. I don’t mean that users should not bear the responsibility for their sloppy mistakes or that it should rest alone on the shoulders of security professionals.

I simply want to reflect; to look more deeply into ourselves first, for reasons that despite all the efforts year after year, cybersecurity is still so broken. And humbly ask –

Are we, security professionals, being too critical or too condescending to our users? Did we do everything we can to understand their challenges, to be in their shoes, to help them in the way they need?

Perhaps they have really tried. Perhaps some of the truly nasty traps set by cyber criminals nowadays are simply too much to avoid and too well-disguised to spot. Perhaps we are expecting too much from our nescient users. Perhaps people are just being people.

To help illustrate my point, let’s talk about something we are probably all familiar with, security folks or not. Driving.

To get my driver’s license, I had to take lessons, learn the signs, rules and traffic laws and finally pass both the written and road test. That means once someone is licensed, they should be using their turn signal at every turn, checking their blind spots with each lane change, making a full stop at every stop sign, and always obey the speed limit, no? Wait, you mean I need to do that EVERY time? When was the last time you didn’t do exactly what you were supposed to? I’m not talking about reckless driving or being an obnoxious jerk behind the wheel. I’m talking about the regular, law-abiding, good drivers like myself (cough cough). I probably was guilty of at least one of those things just this morning.

“Come on. It wasn’t like I caused an accident or something. There was no other car around and I was running late to a very important client meeting.” You tell the police officer after being pulled over for running the stop sign. It was an honest mistake. Nobody’s perfect. It happens to be best of us.

“You still broke the law. Nobody was hurt this time, but next time you might not be so lucky.” Says the cop.

How can a licensed driver make such rookie mistakes? Just like how can an employee neglect to follow basic security best practices after taking their annual security awareness training?

Regardless of what a driver is or is not supposed to do, the auto industry is undergoing tremendous technological advancement to make their cars and their drivers “smarter”. Many of the latest models now come with smart safety features like forward collision detection, assisted braking, blind spot detection, lane departure warning, active cruise control, backup cameras and parking sensors, etcetera. Not to mention the more basic features like seatbelts, airbags, ABS and GPS, to help drivers stay safe on the road more effortlessly.

Did we, security people, provide our users with the instruments like those in a car keeping a mom from crashing into an accident when her mind was on a sick child? Not those “lock-it-down” tools that bloat users’ systems and the processes that tie their hands. Did we make security easy enough for them to do the right things every time while allowing them to focus on their own priorities, to complete that a hundred and one tasks pulling them in all directions? Did we provide the safety net so that when something inevitably goes wrong, it wouldn’t be a complete disaster?

If we haven’t done that, we can’t reasonably expect everyone to be perfect all the time, and we can’t really blame anyone when shit hits the fan, can we?

What can we do to really help our users to be smarter and safer when navigating in the cyberspace? Let’s explore a couple of options.

We could assign a security person to watch everyone, like having a cop following every driver. But wait, we’ll need as many cops as there are drivers! And aren’t you forgetting that cops are humans too and they also make mistakes? Darn it. Scratch that.

Plan B

Maybe it’s time we start to properly engage the users. Instead of pushing them away, tying their hands, and treating them like two-year-olds when it comes to security, we could try trusting them to do the right things and arming them with the tools for the right job and reminders at the right time.

I have three suggestions for you:

1. Better training

Notice I didn’t say more training? Nobody likes those once-a-year, making-you-doze-off, done-and-forget type of eLearning that’s built from PowerPoint slides. They are long, boring, and just not that helpful.

Learning through practice

When I was back at Fidelity, my team and I developed an internal security certification program that helped train and certify thousands of software engineers, technologists and business users, with ongoing gamification to let them accumulate points to reach higher levels by practicing security every day.

Capture that short attention span

At LifeOmic, we are leveraging an interactive platform and witty video contents delivered every month to engage all employees in security awareness. These 3-minute long mini-episodes are smart, funny, easy to follow and memorable. They act as the “antidote” to human errors and to the “friendly fire” in cybersecurity. In fact, we found this platform so effective, we integrated it into JupiterOne.

2. Usable security

If a product or process is not usable, everything else is moot. It sounds cliché to say “less is more” but it is quite undeniable. We need quality not quantity. We should avoid complex and impractical solutions that only generate noise, provide a false sense of security, and incur unnecessary cost.

Quick reference: there’s a short writeup on OWASP about Building Usable Security. And a Coursera course I find helpful.

We have enough security products for the security team. Last I checked, there are over 1,440 security vendors – not tools, most of the vendors have multiple – across 35 countries. More than 800 in the US.

During my consulting days with IBM Security, I have seen organizations with anywhere between 20 to upwards of 50 siloed security solutions. The complexity alone almost guaranteed the lack of visibility and control in their own security operations.

We need better security solutions to help the regular users. Many technology companies are going in the right direction to provide usable security features directly to consumers, like this upcoming ransomware protection feature in Windows 10.

It’s not just products. It is much worse when it comes to processes. For example, many large enterprises have security policies and processes written in hundred-page-long documents. When was the last time your users read them? It is probably so convoluted that your own security team is lost swimming in a sea of meaningless jargons. And it would take an act of congress to make any meaningful updates.

Be customer centric and user friendly

One of the biggest achievements my security team and I had at Fidelity, was developing a patent-pending software security platform to manage the entire Secure SDLC process start to finish, with automation that would cover nearly every step from security requirements to application testing, to tracking the findings, to providing a feedback loop between developers and security team, to real time reporting to stakeholders and management. Shh, sorry I can’t tell you more – it was a top-secret internal project – if I do, I will have to…

But another major takeaway that helped me the most personally from my time at Fidelity, was learning what it meant to be customer-obsessed, to fail fast, to continuously improve. That was reflected in the security platform we built. Unlike many other security products, it was designed for all users, not just the security team. It had usability and user experience as a core focus from the start.

Embrace automation and cloud

Starting fresh to build up security operations at LifeOmic, I have an opportunity to do things differently – a bold approach which may seem unorthodox or even unthinkable to most security professionals – to give users the freedom they deserve. Let them be local administrators; let them visit any website; let them use their tool of choice. We see our internal user network not much more differently than public wireless access points at a Starbucks. Because eventually, inevitably, some user will end up with a malware on their system, and some bad guy will find a way to get on our network.

Wait, did you say you are leaving everything free and open? You must be out of your mind.

Hell no. We do lock things down – but only to those that matter. We have strong access control and multi-factor authentication. We leverage behavior based endpoint protection. We use strong encryption to protect data. We rely on a secure deployment process for the software applications we build. We implemented configuration and activity monitoring for our cloud environments – and we even figured out a way to “watch the watchers”.

Have we figured everything out? Far from it. Is everything working perfectly smooth? Of course not. Our secure deployment process, for example, while it works and is fairly air tight, is still a bit too complicated and slow to our developers’ standards. We also have a long way to go in tuning and event correlation. But that’s okay. After all, we are only a few months into it. There will be a lot more test-and-learn.

What’s more important is that 1) we believe being secure doesn’t necessarily mean getting in the way; and 2) there should be no single point of compromise that will allow an attacker to gain access to “keys to the kingdom”.

Create micro segregations based on risk and data, focus only on what truly matters and not waste time on the noise. This is only achievable by embracing cloud and leveraging automation, to build a data-centric, zero-trust, immutable infrastructure. This also requires patience from everyone and strong support from development while all the kinks and quirks are ironed out, which brings us to my last point below.

I intend to write a follow up blog on how we hardness the power of cloud for real security. More to come, hopefully sooner than later… stay tuned.

3. Working together

It sounds like a no-brainer, but it can often be the hardest thing. Sometimes it almost feels like this is not a battle between the black hats and the white hats but more between security teams and everyone else.

I can hear the security guy…

“Just don’t click on that link, don’t open that attachment. How hard can that be? It’s really basic.”

“Since you can’t seem to protect yourself, I’m gonna do it for you. No local admin rights. No SSH access. You can’t install any custom software. No visiting Facebook or LinkedIn.”

And the developer…

“Fine. I’ll just sign up with this cloud service myself. It’ll be ten times faster than using this crap internally. Or I can just run another VM on my own server. And I can SSH to it from the browser using GCP.” (GCP = Google Cloud Platform)

Sounds familiar, anyone? Where did you think “shadow IT” came from?

Everyone knows there is a trade-off between convenience and security. And that balance is often very hard to strike. All the more reason for security and non-security teams to work together – fundamentally by starting to understand each other; or better yet, to experience it in each other’s shoes. Let’s stop all the self-inflicted pain.

To all my fellow security professionals

When was the last time we asked our users for their feedback on security instead of just telling them what they can or cannot do? When was the last time we actually listened and provided real improvements on security so that they can be truly embraced and easily adopted, without jumping through a bunch of hoops or slowing down to a crawl?

It is not easy. But let’s give it a shot because the approach so far clearly isn’t working.

This is exactly why we productized our approach as JupiterOne. We need better tools, not more tools.

To all my non-security colleagues, engineers and technologists

Please try to understand our pain and suffering. The battle in cybersecurity is hard. We are the ones stuck between users and auditors trying our best to make both happy. When something doesn’t work, the security team often takes the blame. And we are the ones risking getting fired should a breach happen. We pretty much have to do everything right, all the time while the bad guys may only have to do one thing right, just once.

The world of a security professional is arguably a bit more complex than you think. Don’t believe me? Check out this mindmap. If I can draw analogy between working on an IT or development project to parenting a teenage boy – you worry about everything he does – then the job of security is almost like parenting a teenage girl – not only do you worry about your girl, you must also concern every boy around her. We are paranoid for a good reason.

So please be patient with us and work with us. Security is far from perfect. Some of what we do may not make sense to you but trust us to have your best interests at heart. Some of the outcomes require tradeoffs to get there. Help us help you. After all, we are in this fight together.

This article was originally published on LinkedIn.