Op-Ed: Don’t spend all your security budget on technology

This growth is being driven by several factors, including an increase in remote and hybrid work and increases in the incidences of data breaches. While it’s great news that security budgets are increasing, it’s important not to spend it all on technology.

As a cyber security leader, consider the human element before earmarking your security investment budgets for more technical controls. It’s not the machine but human vulnerabilities that cause most cyber attacks — humans are long, but unfairly, regarded as the weakest link in an organisation.

Verizon’s 2022 Data Breach Investigations Report indicated that 82 per cent of data breaches involved the human element — a telling statistic signalling to cyber security leaders that human behaviour and the user experience need greater consideration. It also indicates that security programs founded on technology-centric investments are not delivering the full risk management outcomes expected.

Reduce risk to the organisation

Phishing remains the primary mode of attack, but several other human activities contribute to a significant number of all data breaches, from system misconfiguration and data misuse or mis-delivery, to weak credentials. These are all avoidable behaviours that must be addressed.

Employees know they’re being unsecure. Gartner research shows that over 90 per cent of employees who admitted undertaking a range of unsecure actions during their work activities knew that it would increase risk to the organisation yet undertook them anyway. The top reasons given were speed and convenience, as well as the perceived benefits outweighing perceived risks.

Then you have poorly designed controls that introduce more friction than benefit. Current security control investment and implementation are often done in a way that the people served by the controls see no benefit. In addition, the way controls are often implemented causes unintended operational friction for users. The combination of a lack of benefit and increased friction encourages employees to seek efficiencies through actions that are both unsecure and contrary to policy.

Wherever possible, it’s important to redesign controls that integrate seamlessly with the flow (and location) of work. Place greater emphasis on understanding how and where employees conduct day-to-day work and design controls that work with that workflow. A way to achieve this is to adopt human-centric security design practices into your strategic capabilities and operating practices.

VIEW ALL

Focus on the individual, not technology or threat

Gartner predicts that 50 per cent of large enterprise chief information security officers (CISOs) will adopt human-centric security design practices by 2027 to minimise cyber security-induced friction and maximise control adoption.

Human-centric security design is modelled with the individual — not technology, threat, or location — as the focus of control design and implementation. This approach allows for varied or multiple contexts according to the individual’s needs, both personal and operational, in achieving the desired business outcomes.

It could mean providing risk-appropriate, but more flexible, security control operation and user experiences; driving empathy-based security management considerate of situational factors; and enabling intentional collaboration with stakeholders during control design.

Minimise employee friction

Human-centric design improves security program ROI. No security program can be effective if employees actively seek to circumvent it. The essential ROI of human-centric design is that the cyber security program operates as intended with minimal friction with employee work programs.

The controls actually work. There are significant tangential benefits from injecting the security program with more human understanding — more understanding of threats and how humans make decisions about threats. By taking steps to better understand employees, you’re better able to influence their behaviour.

Introducing this approach requires formalised, and most importantly, consistent end-user collaboration practices to be established into security initiatives. This represents a need to shift the way your team works, which will trigger changes in your organisation’s security operating model.

Ensure empathy is listed as a critical employee attribute in recruitment efforts as a foundational enabler to ensuring the human, and their requirements, is at the heart of security control design, deployment, and operation.

Adopting human-centric security design practices also requires cyber security teams to be involved in solution design and development. Invest in outreach to DevOps teams and business analysts on a continuous basis, with the intended secondary benefit of helping them improve their own risk-aware decision making as well as co-creating controls.

How to get started

First, define and reset security team expectations about the importance of the human element when evaluating, implementing, and operating security controls. Then commence planning for and building security workforce capability, especially for customer/business-facing security functions, which employs empathy-driven, outcome-focused practices to enhance human and user interactions.

Once that is done, evaluate the existing security roadmap. Identify future security initiatives that are expected to result in a change to the way your organisation’s employees will perform their work. Use this initiative to conduct a proof of concept or beachhead security project where human-centric design practices are deployed collaboratively with employees impacted by the initiative.

Richard Addiscott is a senior research director at Gartner. He is the conference chair of the upcoming Gartner Security & Risk Management Summit – 28-29 March 2023 in Sydney.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.