Human Nature – The Proverbial Thorn in the CISO’s Keaster!


While pondering the recent Target and Neiman Marcus breaches and many of those that have come before, I cannot help myself but to look for common denominators. If you compare these companies to your house, there are doors and windows that allow movement into and out of those houses. If you open a window and it does not have a screen, inevitably there will be bugs that get into your house. The same dilemma exists in our digital domains.

Your house must have windows and doors to be functional. So again, what are the common denominators? These breaches were enabled by a universal problem which is quite frankly, the human element. Humans are easily tricked into interacting with malicious technology. A single employee made the decision to interact with some email message that brought the Trojan Horse in essence into the corporate house. A single mouse click later … abracadabra! Congratulations Target shoppers, your identity has been stolen and is now on the black market.

Now digging a little deeper we should again look for common denominators. It is a rare occasion within the workplace that our employees are not equipped with a full complement of communication tools like email, instant messenger clients, BYOD, browsers and other collaborative tools that connect them to the outside world. The simple question in my mind is “who decided that the employee masses needed or actual require these communication tools to complete their worker-bee missions?” Going to work should be for work and not unfettered access to all technology and the plethora of permutations we all enjoy off the clock.

I once mentioned during an executive security briefing that “I could not fix stupid but I could prevent it.” While that statement may be harsh, the sentiment is simple; humans are easily tricked into interacting with malicious technology. The challenge is to eliminate as much risk as we can without damaging legitimate business essentials. Part of the new-world-order business risk assessment should include whether or not my employee actually needs collaborative tools to communicate with the outside world. Inevitably some human will drop the ball no matter how much training we provide or how many technical controls we implement.

Traditionally, we are installing really expensive security countermeasures that keep the company secure most of the time but not all of the time. We logically eliminate the cost of technology, human resources and breaches when we take away the vectors that our employees do not require to legitimately get the job done. We secure that breach vector completely by eliminating it.

Returning to my earlier statement that I could not fix stupid but I could prevent it; instead we should say “Intellectuals solve problems, geniuses prevent them.” Albert Einstein said it more eloquently didn’t he?