The 80% Conundrum
We are only a few years away from a momentous occasion. Nearly 30 years ago, on April 30th, 1993, the internet as we know it (the public version) was born. This historic event gave birth to a new era, the era of technology. Great strides have been made in tech over the last 30 years, but for Cyber Security Professionals, and for this Professional in particular, there has been one glaring constant that we can't seem to change. Within the Cyber Security industry, it is widely accepted that 80% of all security violations are caused by human error. This number in recent years has even been cited as high as 88% (https://www.tessian.com/research/the-psychology-of-human-error/). That's nearly 30 years of better technology, better security, increased boundary defenses, better threat detection, increased connectivity, and aggregation of global knowledge available in the pocket of most human beings and cell phones more powerful than the technology that sent us to the moon. And yet, we continue to battle this glaring hole in our security posture. At every turn, we find that people are still falling victim to the same scams, phishing emails, malicious links, and more. Several years ago, I was fortunate to hear Damon Small give a talk at DefCon 25 about what he called, "Layer 8." Many security practitioners joke about the nut that connects the chair to the keyboard. Damon, however, made the case during his talk that, while people are our biggest hurdle, our biggest challenge, they are also, inevitably, our most capable tool in improving the security posture of our system. Now, while my friend, Damon, went on to tell a story about a time when his security team (armed with the simplest of tools) was able to save the day, I think it has become clear that a new shift in Cyber Security needs to happen. For nearly 30 years, the Cyber community has been working diligently to implement new security mechanisms, new protection methodologies, new policies, procedures, and tools. But we continue to struggle with the idea of improving how the average user impacts our security posture. Cyber security is something that we can no longer ignore in our daily lives. And for those of us who are Cyber Professionals, we have got to start focusing our efforts in a more effective way at shifting the paradigm of human interaction with the systems that we are trying to protect. Our human issues are not going to be solved by technological means. Currently, our best mechanism for succeeding in this realm is to engage more with our users. Not in that traditional, condescending, "IT" way of engagement either. We need to help our users understand why security is important, what small things they can do daily to help ensure the security of their systems and their data. The more we can educate the masses, the more we can decrease the statistic mentioned above. 80+% for the last 30+ years is not an acceptable status quo. As Cyber Professionals, we have to begin communicating to our peers in other industries and our teammates within our circle of influence in a way that helps them be better at Cyber.