Interviews 04.06.2024
Dr Jason Nurse names AI as the biggest unsolved problem in cybersecurity. And he believes that good cybersecurity training is the bare minimum for improving cybersecurity posture.
I’ve always been interested in technology. At university, I completed a double major in computer science and accounting. When I began my career as an auditor, I realised the path wasn’t right for me. I decided to pursue a technology-based career, which led me to cybersecurity. What sent me down the human-specific path of cybersecurity was my post-graduate education and experience. While completing my master’s degree, I participated in a cybersecurity project, which led me to decide on business cybersecurity as my PhD focus. When I started my PhD, I noticed the social and people-centric side of cybersecurity was being ignored, and the technical aspects of cybersecurity were being favoured. I wanted to do something that could help fill that gap and make the long-ignored, human-centric side of cybersecurity finally seen.
A chef. Cooking is a temporal activity, a unique blend of art and science that happens in the moment and offers immediate gratification to those present. I think there’s also a part of being a chef that requires a lot of research, which is something I already enjoy in my current position.
The belief that people are the ‘weakest link’ in the security chain. This view, often echoed by out-of-date cybersecurity professionals and the media, unfairly labels individuals as liabilities. In reality, businesses are responsible for empowering their employees with the proper knowledge, motivations, and environment. Employees can become crucial assets in protecting an organisation’s data by providing comprehensive support, fostering a positive security culture that avoids blame and fear, and using tools that make the secure choice easy (like SSO). Transforming the narrative from blame to empowerment enhances security and effectively leverages human potential.
The best is the opportunity to shed light on the industry’s underrepresented areas and look for new, innovative solutions to counteract the de-prioritisation of cybersecurity across various sectors. There’s a significant sense of accomplishment in contributing to the development of something bigger.
One of the greatest challenges in this industry is navigating the balance between compliance and culture. Many organisations adopt a compliance-driven approach, focusing on meeting minimum requirements to protect themselves from liabilities. They hold a checkbox mentality which improperly prepares employees for the realities of today’s cyber threat landscape. Changing people’s views on cybersecurity from a simple requirement to a vital part of a company’s consciousness, where everyone shares responsibility, is challenging but crucial.
The best advice I have ever received, which I will pass along, is to take the time to keep learning. I would also implore industry n00bies to set aside time every day to concentrate on critical tasks. There will always be emails and Teams/Slack messages to reply to, but on most occasions, they can wait. It’s also important to block out the outside world occasionally if needed. Focus is important – if you need to pop on your noise-cancelling headphones and put your head down occasionally, you should.
The most significant unsolved problem is the advancement of artificial intelligence (AI), which has made cybersecurity an even more complex issue, moving the goalposts for anyone trying to protect themselves or their business. As AI continues to evolve in complexity, cybersecurity strategies are continuously trying to play catch-up with evolving cyber threats supported by AI. The complexity of AI-powered cyberattacks introduces new vulnerabilities and challenges, complicating detection and prevention.
“The complexity of AI-powered cyberattacks introduces new vulnerabilities and challenges”
The healthcare industry, particularly in its approach to human behaviour change, has primarily focused on encouraging individuals to adopt healthier lifestyles, from increasing their physical activity to improving their dietary habits.
Similarly, changing user behaviour in cybersecurity is crucial for enhancing security and keeping people safe online. Just as healthcare professionals communicate the benefits of a healthy lifestyle and the risks of neglecting health, cybersecurity experts and other leaders must emphasise the importance of adapting healthy security practices, being safe online, and the consequences of complacency.
CISOs can enhance their communication by adopting a more transparent and engaging approach, focusing on the core reasons behind security practices and policies.
I’ve been inspired by the concept of ‘starting with why’, a principle detailed in Simon Sinek’s book Start with Why. Emphasising the underlying ‘why’ behind cybersecurity efforts demystifies the measures and makes their significance clearer and more relatable to everyone involved. Work out what makes your people tick and align your messaging to that.
It is also important to acknowledge that employees are intelligent and capable individuals who can become proactive participants in an organisation’s cybersecurity culture.
Forrester predicts 90% of cyber attacks will continue to include a human element, such as clicking on a malicious link or opening an infected file. Good cybersecurity training is the bare minimum. It plays a small role in safeguarding an organisation’s data, protecting its reputation, and facilitating long-term success. But most people don’t need or want more training. They need support and guidance delivered at the right time, in the right way. Nudges reinforce safe cybersecurity practices among employees, effectively reminding them to stay vigilant and continuously promote security awareness.
“Emphasising the underlying ‘why’ behind cybersecurity efforts demystifies the measures and makes their significance clearer and more relatable”
Employees who understand how cybersecurity rules and practices directly impact them have an easier time understanding and following them. They are more likely to care if they feel more connected to an issue.
It’s important that CISOs start with the ‘why’ behind implementing cybersecurity initiatives and then communicate individuals’ stake and benefit from improved cybersecurity. Incentives can be an excellent way to drive a sense of self-importance and individual responsibility, aligning outcomes directly with employees’ roles and responsibilities.
COM-B is an effective strategy for CISOs to use when framing the importance of cybersecurity. Behaviour, or behaviour change, happens because of people’s capability(C), their opportunity(O), their environment, and their motivation(M), which includes a mix of self-efficacy and situational understanding.
COM-B states that for a person to perform a behaviour, they must (1) feel able, (2) their environment must let them, and (3) they must want to carry out the behaviour more than competing behaviours.
It is no secret the SolarWinds saga has sparked heated discussion among CISOs, with many deeply concerned about personal liability. Some CISOs believe they and their peers may walk away altogether or shorten their already brief average tenures. If CISOs aren’t getting C-Suite support in resolving security flaws, is it worth staying in their role and potentially being held liable for issues leadership isn’t prepared to fix? It may well be too much of a risk for some CISOs.
A CISO’s biggest headache stems from a constantly changing threat landscape, coupled with the increasing demands and scrutiny from board-level leaders. CISOs need to stay ahead of sophisticated and ever-changing cyber threats, but they must also manage heightened expectations from corporate leadership regarding security posture and risk management. Effectively, the role of a CISO has transformed into a constant juggling act: managing board-level communications and expectations, engaging with internal and external parties to promote security, and adapting to a fast-shifting regulatory landscape, all while staying one step ahead of attackers, who are themselves constantly innovating. This multifaceted challenge makes the role of a CISO one of the most demanding in the modern corporate world.
Interviews 20.06.2024
Rebecca considers a lack of line in the sand around AI and the gender pay gap two of the industry’s biggest unsolved problems and has a decent argument for why cybersecurity needs to learn from the finance sector
Features 18.06.2024
With the National Vulnerability Database (NVD) at crisis point, how can CISOs mitigate the risk of vulnerability exposure?
Blogs & Opinions 13.06.2024
Cybersecurity leaders face immense pressure to strengthen their organisations’ defences. Yet the industry is struggling to fill positions. Luckily, CAPSLOCK’s Dr Andrea Cullen has a plan The UK’s cybersecurity sector is still struggling to fill positions. The government estimates that 51% of UK companies lack basic cyber skills. This shortage of cybersecurity professionals is putting […]