The human element in cyber hygiene

When a panel made up of experts from the Black Hat MEA community got together to talk about cyber hygiene, Rasha Abu Alsaud (EVP and CISO at Saudi National Bank) pointed out that we can’t overlook the human element.

The panellists – who also included Zaki Abbas (CISO at Brookfield Asset Management), Richard Archdeacon (Advisory CISO at Cisco), and Fal Ghancha (CISO at DSP Investments) – agreed that good cyber hygiene has to start with the basics.

“I speak to a lot of CISOs,” Archdeacon said, “and they look at the risk an organisation may face and what might happen; and what I see is the fundamentals not being addressed that might cause issues for them.”

“We’re now hearing CISOs talking about getting the basics right. Doing brilliant basics. Because that’s the best way to manage the risk.”

Brilliant basics means doing your homework

Abbas agreed that “Cyber hygiene is not just an IT or security problem. It’s a business problem. It’s a matter of going back to basics.”

And from a tooling perspective, that means understanding exactly what kinds of controls are needed to protect critical resources – and then developing processes to ensure that those tools are accessed by the right people, and used correctly.

CISOs need to be clear on why each tool is needed. For Archdeacon, this comes down to clarifying what CISOs are worried about, and assessing the effectiveness of tools to mitigate those concerns. “A friend of mine said to me years ago, ‘security is easy – all you have to do is make sure the right person is using the right tools,’” he joked.

But while that might not actually be easy, it is true. There’s no point in having cutting edge tooling if you aren’t absolutely certain why each tool is there, what it’s for, and who should be able to access it. And from there, you’ve got to ensure that only those people have access – and that they know how to use and maintain the tool effectively.

But when it comes to tooling, humans are key

Alsaud said:

“I think it’s important that in addition to the reliance on technology, manual validation needs to be practised as well, to check the effectiveness of the controls in place.”

She agreed that CISOs need to go back to basics. But pointed out that the basics in question here are all configured on technology – but if you rely solely on technology to report on its own effectiveness, it might not give you the right basic results.

So good cyber hygiene is also about challenging the reports provided by technology. You have to add a human element to the controls – ensuring not only that the basics are implemented correctly, but that they’re also being reported accurately. Essentially, security teams need to engage in a continuous process of assessment of technological effectiveness.

“Yes, technology is very important,” Alsaud added, “and a complete set of technologies; from identity to network protection; the zoning of networks, isolating your critical assets…all of these are excellent. But at the same time it’s important that we don’t rely on these technologies to protect the environment.”

“Human intervention is required to validate the effectiveness of the technology.”

It’s not uncommon to hear organisations blaming tech for a breach; complaining that they suffered a compromise ‘even though’ they were using a certain piece of technology. But Alsaud argued that the issue isn’t with the tech – it’s in how you’re using it, validating it, and ensuring it’s always up to date and functioning at its best.