As Defence Online takes an in depth look at cyber security in the month of November, Leron Zinatullin, Cybersecurity Specialist and Author of The Psychology of Information Security, examines the need to build transparency around cyber security.
In today’s corporations, information security professionals have a lot to grapple with. While facing major and constantly evolving cyber threats, they must comply with numerous laws and regulations, protect the company’s assets and develop their teams.
Back in the old days, security through obscurity was one of the many defence layers security professionals were employing to protect against attackers. On the surface, it’s hard to argue with such a logic: the less the adversary knows about our systems, the less likely they are to find a vulnerability that can be exploited.
There are some disadvantages to this approach, however. For one, you now need to tightly control the access to the restricted information about the system to limit the possibility of leaking sensitive information about its design. But this also limits the scope for testing: if only a handful of people are allowed to inspect the system for security flaws, the chances of actually discovering them are greatly reduced, especially when it comes to complex systems.
Cryptographers were among the first to realise this. One of Kerckhoff’s principles states that “a cryptosystem should be secure even if everything about the system, except the key, is public knowledge.”
Modern encryption algorithms are not only completely open to the public, exposing them to intense scrutiny, but they have often been developed by the public, as is the case, for example, with Advanced Encryption Standard (AES). If a vendor is boasting using its own proprietary encryption algorithm, I suggest giving that vendor a wide berth.
Cryptography aside, transparency can be approached from many different angles: the way we handle personal data, respond to a security incident or work with our partners and suppliers. All of these angles and many more deserve the attention of the security community. We see the shift away from ambiguous privacy policies and the desire to save face by not disclosing a security breach affecting our customers or downplaying its impact.
Communication is a key element in building transparency around security, and that extends to the way we work with people in our organisations. Understanding people is essential when designing security that works, especially if your aim is to move beyond compliance and be an enabler to the business.
Remember, people are employed to do a particular job: unless you’re hired as an information security specialist, your job is not to be an expert in security. In fact, badly designed and implemented security controls can prevent you from doing your job effectively by reducing your productivity.
The aim is not to punish people when they make a mistake, but to build trust. The security team should therefore be there to support people and recognise their challenges rather than police them.
Security mechanisms should be shaped around the day-to-day working lives of employees, and not the other way around. The best way to do this is to engage with employees and to factor in their unique
experiences and insights into the design process. The aim should be to correct the misconceptions, misunderstandings and faulty decision-making processes that result in non-compliant behaviour.
People must be given the tools and the means to understand the potential risks associated with their roles, as well as to recognise the benefits of compliant behaviour, both to themselves and to the organisation. Once they are equipped with this information and awareness, they must be trusted to make their own decisions that can serve to mitigate risks at the organisational level.
After all, even Kerckhoff recognised the importance of context and fatigue that security can place on people. One of his lesser known principles states that “given the circumstances in which it is to be used, the system must be easy to use and should not be stressful to use or require its users to know and comply with a long list of rules.” He was a wise man indeed.
To learn more about cyber security and how your business can stay protected from threats, visit the Cyber Essentials Online website
If you would like to join our community and read more articles like this then please click here.
The post The Evolution of Cyber Security – A path to transparency appeared first on Defence Online.