Human-centric security is an approach that prioritises understanding and addressing human behaviour within the context of cybersecurity to enhance security and privacy. It recognises the critical role of human factors and focuses on adapting to human behaviour, psychology, and interaction to build a security culture that empowers employees, reduces human errors, and mitigates cyber risks effectively.
A robust human-centric security program can positively influence and sustain good security and privacy behaviours in the long term. It involves delivering impactful security education, designing systems and processes that account for user behaviour, and developing metrics to measure behaviour change.
It is anticipated that security leaders will shift from increasing awareness to fostering behavioural change will help reduce cybersecurity risks. Gartner predicts that by 2027, 50% of large enterprise CISOs will have adopted human-centric security design practices to minimise cybersecurity-induced friction and maximise control adoption.
Security behaviour and culture programs (SBCPs) encapsulate an enterprise-wide approach to minimising cybersecurity incidents associated with employee behaviour.
Organisations face significant challenges in information security, primarily due to a lack of preparedness for breaches, according to Sunny Tan, head of Security Business for East Asia at BT Business. He concedes that despite decades of investment in security, many Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) fail to conduct sufficient response exercises.
He opines that this unpreparedness was highlighted by recent incidents like the CrowdStrike event, where organisations with well-rehearsed recovery plans managed to bounce back quickly, while others struggled.
Tan emphasises that security cannot guarantee 100% protection, advocating for a risk-based approach. This perspective encourages CISOs to align security investments with overall business risk, facilitating more effective budget discussions with boards.
“As the conversation around cyber risk evolves, there is a growing recognition that it should be treated similarly to other enterprise risks, ensuring that CISOs secure necessary resources while managing expectations about potential breaches.” Sunny Tan
The privacy and protection disconnect
While the protection of data, personal or corporate, remains paramount, privacy has become paramount when it comes to building and sustaining trust. The OECD notes that as governments act on digital policies, they need to consider privacy and data protection as a matter of priority.
CIOs and privacy or compliance officers often face a disconnect in their approaches to data protection, largely influenced by industry regulations and maturity levels. According to Sunny Tan, challenges arise when CIOs grapple with budget constraints, outdated infrastructure, and a lack of data visibility, especially when sudden regulatory mandates demand immediate compliance.
He posits that consultants frequently mediate between data privacy officers, who may underestimate the complexity of protecting data, and CIOs, who struggle to implement these requirements. He goes on to explain that while CISOs prefer to enforce data protection measures rather than define them, collaboration among CIOs, privacy officers, and CISOs is crucial to effectively navigate these challenges.
“The complexities of data classification further complicate matters, as determining what constitutes critical business information often falls outside the IT realm. This ongoing struggle highlights the need for cohesive strategies that integrate compliance, cybersecurity, and business objectives in organisations across the region.” Sunny Tan
The CIO and compliance offer disconnect
There will be occasions when CIOs and privacy or compliance officers agree or disagree when it comes to data protection and privacy. Asked where the disconnect between the two is or maybe where they understand each other, Tan begins by explaining that data protection and privacy challenges vary significantly across industries and countries, particularly in regions with less mature cybersecurity frameworks.
He cites the example where in one such country, organisations have struggled to meet regulatory demands, facing issues like budget constraints and outdated infrastructure. CIOs, often unaware of data locations, find sudden mandates to secure information overwhelming.
Consultants are frequently called in to mediate between Chief Data Protection Officers (CDPOs) and CIOs, as the former may underestimate the complexities involved in data protection. Many Chief Information Security Officers (CISOs) prefer to enforce established data protection protocols rather than define them, highlighting a disconnect among these roles.
Tan believes that effective collaboration among CIOs, CDPOs, and CISOs is essential to address these challenges. “Additionally, data classification often extends beyond cybersecurity concerns, involving the identification of a company’s intellectual property and critical business information, which typically falls outside IT’s purview. This ongoing struggle emphasises the need for integrated strategies in data management,” he continues.
The human factor
Human factors significantly influence the adoption of security and privacy practices in Asia, as highlighted by Sunny Tan. One key issue is that IT professionals often prioritise delivering applications and infrastructure over integrating security measures, despite the long-standing principle that security should be designed from the outset.
This reflects broader human behaviour and the inherent trust placed in processes, which can be easily compromised. In the user domain, employees also play a critical role; many recent breaches exploit vulnerabilities in human behaviour. Phishing attacks, particularly sophisticated "whale" phishing targeting high-level executives, demonstrate how organised crime preys on the tendency to trust seemingly legitimate communications.
According to Gartner, generative AI (GenAI), unsecure employee behaviour, third-party risks, continuous threat exposure, boardroom communication gaps and identity-first approaches to security are the driving forces behind the top cybersecurity trends for 2024.
As artificial intelligence capabilities advance, creating realistic impersonations of executives further complicates this challenge. To counter these risks, organisations must implement robust security awareness programs, often referred to as a "human firewall," to cultivate a culture of vigilance and scepticism among employees.
Secure user-friendly communications policies
In the complex world of legalese, jargon often makes it impossible for the average user or consumer to understand the fine print. Human nature reveals that users often don’t what should be a best practice in favour of just getting on with it.
The clarity of security and privacy messages in organisations varies significantly, notes Tan. Many policy documents are laden with technical jargon and legal language, making them difficult for end users to understand.
He cites the example at BT where efforts are made to simplify this language and focus on fundamental principles when educating the workforce. He goes on to reveal that many policies are outdated, failing to address contemporary challenges like cloud services and impersonation threats during virtual meetings.
“This obsolescence often leads to policies being overlooked,” warns Tan. “To enhance understanding, organisations are encouraged to integrate employee education and awareness programs with policy updates.”
For instance, gamifying training by comparing different offices’ susceptibility to phishing can make lessons more engaging and relatable. The goal is to ensure employees not only comprehend security protocols but also retain valuable knowledge from their training experiences.
The path to human-centricity
Tan defines human-centric as the situations where systems and humans meet. “Humans make errors or are trusting of the system, and you have problems after that,” he observes.
“You can look beyond human. You have autonomous objects; you have your internet of things; and then you have many things in the house, which can also be exploited to the same degree because the owners, the humans, trust that these devices are secure by design, are managed securely, and so forth.” Sunny Tan
“In our practice, it's zero trust. Verify everything. Don't trust anything,” he concluded.