In a thought-provoking presentation during Security Congress, Walmart’s chief security architect challenged cybersecurity professionals to take a more scientific approach to their work.
Ira Winkler urged organizations to implement comprehensive behavioral cybersecurity programs that use statistical analysis to understand human actions. With this approach, he argued, you can better address bad habits that contribute to security vulnerabilities. It also allows you to learn and address the needs and wellness of cybersecurity teams.
Too often, he says users get wrongly blamed for security issues. “If you have a user that creates harm, the harm is a result of a poorly designed system,” he said.
Organizations run awareness programs that seek to change behavior through entertainment by, for instance, showing users funny videos. But that isn’t effective, Ira said. “Frankly, telling people they'll be fired for doing the wrong thing works much better than a funny video.”
You should use metrics to figure out what users are doing and why – and introduce initiatives that reward users who make good decisions, he said. A gamification approach can work, he said, but too often it is implemented wrong.
“You're playing a game but that is not gamification. Gamification is a reward structure where you reward actual practices while they're happening,” Ira said, comparing effective gamification to airline frequent flyer rewards.
User Confusion
One of the reasons for harmful activity by users may come down to the interface they’re using, he said.
“How many awareness professionals ever said, ‘I want to sit down with the development team and look at the interfaces my users work with so I can figure out how to make sure they don't make an error proactively in the design of the system,” he said. If the user has five windows open and something pops up on the screen, they make click something that leads to harm because they are seeing too much information at the same time, he argued.
Behavioral cybersecurity can help make the necessary changes by taking into account research and statistics, Ira said. “Analyze where the errors are coming from a valid, scientific perspective. And figure out what needs to be modified, how it needs to be modified and so on, and then improve the process,” he said.
Cybersecurity Team
An important piece of implementing behavioral cybersecurity is addressing the cybersecurity team’s needs. That means reviewing how the cybersecurity team is working, what tools are available to them, how well they are trained, and how the company recruits new team members, Ira said.
If the team is making mistakes that lead to vulnerabilities, find out what is behind that so you can improve their performance.
Organizations also need to evaluate the team’s wellness. “You might hear people talking about burnout. The problem is in most organizations, nobody's really looking out for your cybersecurity team except your CISO, who's already burnout victim number one,” Ira said. “Are you working with your employee wellness people? Who's doing that for the cybersecurity team?”
He compared current pressures on cybersecurity professionals to those experienced by healthcare workers during the pandemic. It would make sense to look at lessons learned in fields such as healthcare to figure out how to help cybersecurity professionals, he said.
Widening Attack Surface
During the pandemic, cybersecurity teams were called on to execute what at times seemed impossible – securing a vast increase of work-at-home users who couldn’t go into the office to comply with shutdown mandates.
At an earlier Congress session on Monday, Bryson Bort, Founder and CEO of SCYTHE, said companies all of a sudden wanted to implement VPN connections for large numbers of employees and expected the cybersecurity teams to do it.
Those VPN connections, as well as other ongoing developments such as the expansion of the Internet of Things (IoT), is widening the attack surface for hackers. As the attack surface increases, so does the workload on cybersecurity teams. To Ira’s point, that increase creates more pressure on cybersecurity that in many cases are understaffed because of the skills gap, currently at 3.4 million.
Some relief may be on the way in the form of artificial intelligence (AI). For instance, Bort said, AI will get to a point where secure tools can take actions to auto-remediate issues, and computers can fix problems without human intervention.
When that will happen, he said he didn’t know. But in the meantime, as Ira suggests, organizations can reduce security risks by implementing behavioral cybersecurity programs.