A CISO’s frenemy, the “Human X Factor”

Sunday evening…

Alex, the company's CISO, is at dinner when an urgent SMS comes in: “Another incident!”

From experience, she already knows how it will unfold. She and her team will work as quickly as possible to contain the attack, shutting down servers, cleaning up everyone’s access and performing root cause analysis—which, later or sooner, would likely find that a developer had reused passwords over different sites, making the attack easier.

She wished it could be otherwise, but how?

Alex would love to simply restrict access for all users, creating a "Fort Knox". But she knows that’s not the answer for a thriving business.

Alex faces a dilemma shared by most organizations. Given that upward of 90% of security incidents can be traced back to human error, a statistic based on observations across multiple research studies and Breach Incident Reports, she knows the workforce is a security weakness. On the other hand, she also knows each employee has the potential to provide extra "eyes and ears" for suspicious activity that no SIEM could ever equal.

Though Alex is fictional—a composite of CISOs based on our experience—her struggle is real. The workforce is her ultimate "frenemy", and she must find a way to harness its friendly side, its power, while mitigating its dark side.

Training isn't the only answer

Alex has seen it again and again: Computer-based training simply doesn't do enough to help organizations become more secure. More than anything, she wants to help her people develop into a Human Firewall, empowered as the CISO’s partner in identifying risks, protecting the organization and supporting safe growth for the business.

And she can. But ...

When business leaders propose new growth initiatives, the often-expressed security concern is, “How does this affect our attack surface?” The problem here is the way "attack surface" is defined. They think it's a combination of devices, networks, ports, applications, access points, etc. However, they are missing the most critical weakness: The Human Attack Surface. Behind most incidents, there is a person who took an action that led to a security breach. We must account for the workforce—as asset AND a liability—by benchmarking and managing it like any other factor.

Surprisingly, despite the disproportionate incidents associated with human error, only an estimated 5% of security service spend goes toward supporting Human Firewalls.¹

To turn the CISO’s “frenemy” into a true security asset, organizations need a risk-based, outcome-driven approach that includes the aforementioned Human Firewall. To that end, we've identified five key actions that would support the development of the requisite enabling culture:

1. Know the risk: Bring together objective data from your environment to quantify human risk. This can be achieved with human risk quantification tools on the market, or a collation of other data sources such as user and entity behavior analytics and security information and event management systems.
2. Tailor your efforts to behaviors and people: Based on your objective identification of risk, tailor your security behavior change efforts and measure their effectiveness over time.
3. Move beyond awareness & training to take a behavioral science approach: Though foundational and often required for compliance, awareness and training efforts often aren’t enough to incite behavior change. Instead, employ behavioral science to nudge the appropriate behaviors and helps to make it easier for your workforce to “make the appropriate choices” regarding to security objectives.
4. Start from the top and the bottom: Cultures aren’t remade overnight. The tone and tenor should be set and modeled from the top. However, the grass roots of organizations should believe and embody any culture change for it to endure.
5. Recognize that the “human side of security” can take different forms: Building an enterprise culture with a security-first mindset is key, but it’s not the whole story. Are you upskilling IT, OT and security talent to keep pace with the changing threat landscape? Are you recruiting with that in mind, and while also factoring in collaboration between business key teams so that they’re ready in case of an incident? Are you deploying security technology with appropriate organizational change management to minimize resistance and maximize use of your security technology?

Using the above guidelines, Alex, and other CISOs can turn the page on a story that doesn't have to keep repeating. All it takes is a human + technology approach.

¹ Estimate a composite from numerous studies examining budget allocation for cybersecurity training, learning, and upskilling of the workforce.

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2021 Accenture. All rights reserved.