The 2019 RSA Conference was held in San Francisco on March 4-8. This is one of the best-known security conferences in the world, with researchers and vendors coming from all over to learn about the latest and greatest in security and sell their products.
This year, I attended the conference and hosted a session on how to do cybersecurity awareness training without the FUD (fear uncertainty, and doubt) and gave a talk about the overlaps in Cybersecurity and Hospital Infection Control with Mariam Salas of the University of New Mexico.
For the rest of the week, I attended several different sessions on a variety of topics and explored the Expo floor of the conference.
This year’s RSA conference seemed like the meeting of two completely different worlds. On the Expo floor (and in some of the talks), you had the technical side of security. In many of the talks that I attended, the focus was on human security. With both in one place, it was obvious to see how different they are.
The Technical Side Of Security
On the Expo floor of the RSA Conference, there was a carnival atmosphere. Vendors with booths handed out free drinks and swag. There were even buskers with microphones proclaiming the virtues of their product and how it could solve all of your cybersecurity problems.
Many booths offered demos and some even had arcade games to lure visitors over. The goal was always to scan your badge so that they could add your email or phone number to their contact list for future sales calls.
“On the technical side, it seemed like cybersecurity was a solved problem based upon a visit to the Expo floor.”
With half an hour and a sufficient security budget, you could have your pick of the vendors in every field, building up a cybersecurity strategy and purchasing the necessary tools, technologies, and services from nothing with little or no effort.
The Human Side of Security
Attending the human-focused talks at the RSA Conference gave me a very different perspective. None of the speakers or facilitators believed that they had the security problem “solved”. In fact, some of the sessions began with the facilitator saying just that: if you’re coming here looking for a solution, you’re going to be disappointed.
The hard part of security is the fact that it’s not just technology. With technology, fixes are pretty easy. You find the problem, build a solution, and deploy it across the organization in a matter of hours.
With humans, you need to coax, nudge, and outright bribe them into doing the “right thing” because being secure is generally hard and humans are lazy. Most social engineering awareness training can be summarized as “slow down and think it through”.
With the tens or hundreds of emails that you receive every day, thinking it through can be a significant time investment. The perceived payoff is less than the cost, so people keep on doing what they’re doing and remain insecure.
Improving the human side of security
The obvious answer to an organization’s human threat surface is cybersecurity awareness training. Logically, if we provide someone with all of the necessary data, and they make purely logical decisions, the problem is solved. Training following these principles has been around for ages. The problem with traditional cybersecurity awareness training is that it’s awful.
Studies have shown that people make bad decisions when scared and try to avoid thinking of scary things. So what do we do? Scare them with cyber.
Research also tells us that humans can only retain about 7 pieces of new information in one sitting. And the suggested solution is to give an hour-long PowerPoint with tens or hundreds of new facts and figures for the employee to memorize.
“Traditional cybersecurity awareness training doesn’t work.”
Until training aligns with best practice, taking advantage of what we know about the human brain to optimize retention, it will continue to fail.
This is a core message here at the Cybermaniacs and was echoed throughout the human security sessions at RSAC 2019.
However, until this theory stops being “cutting edge” and becomes commonplace, the human side will remain enterprises’ biggest security weakness.
You can get just a slice of our cybersecurity training for $10 per member of staff…Find out more.