A CISO’s frenemy, the “Human X Factor”
November 16, 2021
Alex, the company's CISO, is at dinner when an urgent SMS comes in: “Another incident!”
From experience, she already knows how it will unfold. She and her team will work as quickly as possible to contain the attack, shutting down servers, cleaning up everyone’s access and performing root cause analysis—which, later or sooner, would likely find that a developer had reused passwords over different sites, making the attack easier.
Alex would love to simply restrict access for all users, creating a "Fort Knox". But she knows that’s not the answer for a thriving business.
Alex faces a dilemma shared by most organizations. Given that upward of 90% of security incidents can be traced back to human error, a statistic based on observations across multiple research studies and Breach Incident Reports, she knows the workforce is a security weakness. On the other hand, she also knows each employee has the potential to provide extra "eyes and ears" for suspicious activity that no SIEM could ever equal.
Though Alex is fictional—a composite of CISOs based on our experience—her struggle is real. The workforce is her ultimate "frenemy", and she must find a way to harness its friendly side, its power, while mitigating its dark side.
Alex has seen it again and again: Computer-based training simply doesn't do enough to help organizations become more secure. More than anything, she wants to help her people develop into a Human Firewall, empowered as the CISO’s partner in identifying risks, protecting the organization and supporting safe growth for the business.
When business leaders propose new growth initiatives, the often-expressed security concern is, “How does this affect our attack surface?” The problem here is the way "attack surface" is defined. They think it's a combination of devices, networks, ports, applications, access points, etc. However, they are missing the most critical weakness: The Human Attack Surface. Behind most incidents, there is a person who took an action that led to a security breach. We must account for the workforce—as asset AND a liability—by benchmarking and managing it like any other factor.
Surprisingly, despite the disproportionate incidents associated with human error, only an estimated 5% of security service spend goes toward supporting Human Firewalls.1
To turn the CISO’s “frenemy” into a true security asset, organizations need a risk-based, outcome-driven approach that includes the aforementioned Human Firewall. To that end, we've identified five key actions that would support the development of the requisite enabling culture:
Using the above guidelines, Alex, and other CISOs can turn the page on a story that doesn't have to keep repeating. All it takes is a human + technology approach.
1 Estimate a composite from numerous studies examining budget allocation for cybersecurity training, learning, and upskilling of the workforce.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2021 Accenture. All rights reserved.