Lance Spitzner: Human risk calls for human solutions
In this episode of the Behave podcast, CybSafe Founder & CEO Oz Alashe is joined by Lance Spitzner, Director at SANS Security Awareness.
Human risk calls for human solutions
They talk about why we should focus more on the human cyber risk side and highlight that we can’t solve human risks by throwing technology at the problem. They also discuss the rise of attacks through email, phone calls and more recently, through text messages. Unless we focus on managing human risk, attackers will always have ways to go around the solutions we implement.
Oz Alashe MBE CEO, CybSafe
Lance Spitzner Director, SANS Security Awareness
Lance Spitzner is a director at SANS Security Awareness, a world-class security training institute helping organizations manage and measure various cyber risks—with a focus on human risk.
Spitzner has been in the cybersecurity space for about 20 years. During the early stages of his career, he was involved in technical aspects of cybersecurity. However, more recently, he has found his niche in the human element, where he believes the biggest difference can be made.
Connect with Lance on LinkedIn and Twitter.
1. The human aspect of cybersecurity is critical
Lance argues that today, it’s much easier to manipulate a human being than to hack into computer software. He explains that the various technological aspects of cybersecurity have made it nearly impossible to access computer systems, but do little to protect from human behavior.
According to Lance, the problem is, “Using technology to secure technology but not people.” Human beings are the primary attack vector. And security professionals need to take action.
2. The human aspect still isn’t being sufficiently addressed
“You go to any security professional, and they will tell you about the three pillars of cybersecurity: Technology, process, and people. And you go to any security team at any organization, and say they have 100 people on their security team, 99 of them will be focused on technology,” says Lance.
Organizations acknowledge that the human aspect can be problematic, but attempt to solve it by throwing technology at it, which doesn’t work. On a more positive note, we’re seeing a shift, with more initiatives catering to the human side.
3. Criminals know how to get past technological defenses
Lance speaks about how over the years, cybersecurity has tackled phishing attacks using effective anti-phishing software. However, cybercriminals have evolved and have stopped using emails, but instead focus on SMS to attack people directly, as the standard tech can’t prevent that.
“For example, phishing. We have been struggling with phishing for years, but we are finally getting good at it. We have technology in place to identify and stop email-based phishing attacks, taking down phishing infrastructures, training people not to click . . . so the cyber attackers switched from phishing emails to smishing, which is text-based.”
“Until we start taking the human in mind also, the bad guys will be doing what they’ve always done: Go around the technology and target the human.”
4. Communication with leadership is important
We need to do better when communicating with leadership. From here, you can get investment. Lance gives as an example a security awareness officer’s encounter with their boss on an elevator.
The officer should do an excellent job expressing their duties and say, “As a cybersecurity officer, my job is managing human risk. We have identified that the top 3 drivers of incidents in our organization are the behaviors of our workforce, so we have created a program to identify and manage those 3 top risks by changing our workforce’s behavior.”
Sentiments like these would earn the leader’s support and credibility and, as a result, could lead to investment in the human aspect of cybersecurity.
5. The whys and whats of human risk
“We have a lot of excellent security awareness professionals who are good on engagement and behavior but have no idea what behaviors they want to change or why because they are missing the risk side,” says Lance.
Oz adds, “Unless we are really committed to the whys, our whats will only be half effective anyway. Reducing risk for an organization is a clear why.”
6. What’s missing from the NIST document
The National Institute of Standards and Technology (NIST) is a government agency responsible for setting standards in the field of cybersecurity to honor the needs of engineering and technology in the United States.
“Look at every NIST document that goes into security awareness,” says Lance, “they never mention the words risk, behavior, or culture. It’s all about basically compliance.”
He has been working with NIST to create a cyber role for security awareness because, at the moment, there is none.
Top quotes from this episode
“With a razor focus on risk, we get to ask ourselves a very simple question like, if those are the risk outcomes I want to avoid, what are the things that need to happen to avoid them?”
“It is not realistic to think that knowledge itself will change behavior,” He points out that many people have been trained but still revert to their old behavior.
“A security team that isn’t considering people as a more complex part of a system . . . is probably missing a significant opportunity to reduce their risk.”
“If people could be trained better, they would know more, and if they know more they could behave differently.”
“First, you need to identify top human risk, then the behaviors that manage those risks, then engage and motivate your workforce and enable your workforce to change those behaviors.”
For more human risk insights, listen to the next episode in the Behave podcast, or read the CybSafe blog.