apinan - Fotolia
The fundamental change being wrought throughout the world of work by the Covid-19 coronavirus pandemic presents a golden opportunity to address how cyber security is perceived within organisations and empower users to participate and buy into security.
This was the verdict of a panel of cyber security experts and chief information security officers (CISOs) drawn together for an online panel session at Infosecurity Europe 2020, which should be taking place this week at London’s Olympia exhibition centre, but due to the pandemic has morphed into an online event.
Jessica Barker, co-CEO at Cygenta, a specialist in cultural change management, acknowledged the change to remote working has highlighted real concerns about secure behaviours, and that cyber criminals were taking advantage of the situation.
“As much as this situation presents a challenge to security behaviours and culture, we need to think about how to engage people on a personal level,” she said.
Barker advised that security teams try to engage their users about security at home and how they’re using digital platforms to connect to family and friends, shopping, gaming, and using social media.
“There are lots of avenues to talk to people about security, and that mindset expands to think more about the business as well,” she said.
Vincent Blake, vice-president and IT security officer at publisher Pearson, agreed that Covid-19 might create an opportunity for security by enabling security teams to turn the conversation away from restrictive “thou shalt not” policy and towards gentle advice on how to protect yourself online.
Mark Osborne, Europe, Middle East and Africa (EMEA) CISO at real estate firm JLL, said that security teams were getting a lot of kudos thanks to how they have stepped up and kept teams running during a critical black swan event, and said they could ride this wave of positivity to improve relationships with the business afterwards.
“Although I have an expectation we’ll slip back to the old norm, at the moment we have a huge opportunity because people are identifying security team as those guys that kept them in their job and they’re more likely to comply with what we ask,” he said.
Speaking about human factors in cyber security at a separate event last week, Oz Alashe, CEO of CybSafe, a UK-based security awareness platform, said that the pandemic was galvanising security teams into making sure what they do and how they deal with their users is more focused and less woolly.
“Those supplying solutions and those buying them will become more discerning, they will ask for data and proof that what they are being told they should be doing is what they should be doing. Where they can design things into systems that means you don’t need to ask people to take certain actions, they will,” said Alashe.
“Training is often cited as a solution to address the human angle but evidence demonstrates it only goes so far. This will be delved into, looked at and exposed far more frequently than before and that is exciting. We will see a lot of change.”
Alashe held up the furore over the delayed NHSX contact-tracing app as a case in point, saying that as so many people have felt motivated to question the security of the data it collects, maybe they will start to do the same with enterprise applications.
Read more about security culture
- The traditional picture of a hacker is of a kid in a hoodie hunched over a computer keyboard, but this stereotype is stale and outdated. Is it time to move away from a fear-based approach to security?
- Sourcing the latest cyber security technology to support digital transformation projects is all well and good, but it’s meaningless if you fail to address your organisational culture and the people within it.
- PA Consulting's Cate Pye considers the people and process changes that are necessary to build a security aware business culture.