In today’s world, it would be tone deaf to deny that humans are often labeled as the weakest point in the cybersecurity chain. But despite having more cybersecurity defenses than ever to protect people, organizations suffer more breaches than ever. What we are doing has not worked. We are losing – and it’s very expensive.
The attack surface at nearly every organization has expanded and now includes a hybrid workforce, so we can’t centralize solutions. Top-down remedies aren’t working anymore. Moreover, the pace of change has accelerated and it’s more distributed than pre-COVID, leaving more doors unguarded.
Chief information security officers (CISOs) and their teams are stressed to the point of burnout and resignation. It’s hard to fight a war that’s never won. Is there a way to turn it around?
Industry bellwether Gartner believes so. This year, their analysts said: “Security leaders must pivot to a human-centric focus to establish an effective cybersecurity program.” That’s more than a perfunctory nod to educate employees about cyber risks. Naming human-centric security as the No. 1 trend in 2023, Gartner’s message carried three clear points:
- Cybersecurity programs are ineffective [today]. They don’t work [yet].
- The aggregate investment in security tools has failed to address the most prolific vulnerabilities.
- The answer: change cybersecurity to leverage employees.
Automated security tools are helpful, but as Gartner indicates, they fall short because there’s a missing element: people. So, can CISOs combine human-centric and automation approaches to mobilize an organization’s workforce for cybersecurity?
Human-centric security and automation need each other
Today’s global cybersecurity emergency centers on vulnerability to employee mistakes, which are involved in a staggering 82% of successful breaches. Unfortunately, security teams are woefully bad at persuading employees to help close security gaps.
Enter human-centric security, which engages and empowers employees to improve security. In contrast, automation generally runs without human intervention; that’s both its strength and weakness. Yes, automation constantly detects and mitigates potential threats, but it often clashes with employee productivity — because it lacks human participation and guidance.
For example, a U.S. company upgrades software on all employee devices at 3 a.m. PST. That inadvertently causes employees traveling in Europe or Asia to miss important customer video meetings. The upgrade helps security, but hurts productivity.
Better together: The self-healing multiplier
Now revisit that scenario: the system automatically asks (or incentivizes) users to schedule a convenient time for their update, so their workday does not get impacted. This combination of human-centric and automated approaches protects employee productivity.
At the same time, automation can play a vital role in human-centric security by engaging employees to heal their own security missteps. If CISOs truly want to chop that 82% stat, then deputizing all employees to help their small team of cybersecurity specialists promises a powerful step forward. While human-centric security makes sense, it needs what automation offers: structure, purpose, and a mechanism to apply it. Automating interactions with employees for security lets them solve their own security problems and creates a profound self-healing result.
Show employees how and why they matter to security
Generative AI will be a game-changer, by enriching a workforce’s interactions with security priorities. Employees are more likely to help when they see context and know why a particular security action matters. Today, they have no visibility into the organization’s security and risks. They cannot see their role. Their own security posture is invisible to them.
Generative AI shines at answering questions such as “How long will the MacOS update take?” or “What security policy must I follow when sharing files?” This wunderkind technology can coach employees to understand and solve their own security issues. AI-based automation helps loop the workforce into decisions. Employees respond well to seeing where they and their department rank in security effectiveness, so show them.
To spur collaboration, reward employees for constructive behaviors. We can make the reward information something like this: “The team helped stop a likely attack that hit 10 companies in our industry.” This type of engagement relies on using the newest AI technology. Generative AI helps companies adapt to accelerated, highly distributed change and reduce human-enabled security failures.
Organizations want to follow Gartner’s recommendation, but they need a roadmap. Nobody has established best practices to merge human-centric security with automation for the most effective self-healing.
There are missing links, like the technology to bridge dozens of security tools and their torrent of output, then triage the right signals to the right employees. It’s important to enlist employee participation in ways that actually work. We’ll need to leverage generative AI and other modern technologies to scale a human-centric, self-healing security program.
Putting a small portion of the security budget toward combined human-centric security and self-healing automation will produce an excellent return on investment (ROI). Expect to see dramatic ROIs as the organization calls on the full security contribution of its existing workforce.
Try to not get locked in — don’t get hardcoded into a technology that falls behind better capabilities that are arriving soon. The industry will sharpen best practices over time and add them into SaaS-based security products.
Developing human-centric security can spur highly effective employee collaboration while building a strong security culture throughout an organization. By involving the entire workforce, the company can build sustainable security practices for the future and slam the window of opportunity on attackers.
Thomas Donnelly, co-founder, president and CTO, Amplifier Security