Security recalculated: Understanding risk means understanding the workforce

In this exclusive opinion piece, Dr. Margaret Cunningham, Principal Research Scientist at Forcepoint we must understand what we are protecting and the factors that impact our ability to implement successful cybersecurity strategies.

To understand risk, and to implement successful cybersecurity strategies, we must understand what we are protecting and the factors that impact our ability to do so. Over the past eighteen months (and perhaps for much longer), the rules and frameworks that drive our understanding of cybersecurity risk have drastically changed.

Rules serve as boundaries that shape behaviors, and our understanding of behaviors, for both technology and people. We attempt to shape desirable behaviors from both technology and people by carefully crafting boundaries and rulesets through policies and guidelines. In turn, we understand behavior by assessing and comparing how well behaviors conform to our rules. Without boundaries, we have a difficult time determining if something we’re observing is unexpected or threatening to our systems—or if it’s perfectly normal.

Currently, we are experiencing a rapid deterioration of rules and boundaries in both digital and physical spaces. While some new rules have emerged, such as avoiding public spaces and meeting with friends and family over video calls, others have either disappeared or become so ambiguous that they provide no helpful context for understanding our environment or one another.

For certain individuals, the loss of boundaries has a positive impact as they may be freed from obligations that negatively impacted their quality of life, such as long commutes. However, there are myriad other ways that blurred boundaries have increased uncertainty and therefore increased stress in people’s lives.

For instance, with a rapidly changing news agenda, it is much more difficult to trust information and to determine fact from fiction. Health and safety guidelines from governments or workplaces are often in conflict with one another (and frequently change). Research shows it is nearly impossible for individuals who are working from home to maintain separation between their personal and professional lives. At a broader level, it can be challenging for organizations to communicate definitive strategies and new rules due to additional societal uncertainty, such as impending supply chain issues or changes in consumer demand. These larger issues spill over onto employees, have a significant impact on stress, and negatively impact much-needed feelings of job security.

Another critical boundary that has arguably disappeared, is the boundary between people and technology. People, both actively and passively, generate an enormous digital footprint regardless of efforts to minimize their online presence. Many people are less interested in maintaining any boundary between their physical and digital lives and are continuously connected to electronic and IoT devices.

Organizations focused on building resilient security architectures realize that they must understand and protect their assets (both digital and physical), as well as understand their employees. However, the enmeshment of people and technology has complicated efforts to achieve holistic security coverage using traditional policies and guidelines, since security has traditionally focused on technology rather than people. Efforts to address these challenges have been further complicated by the unplanned transition to working from home, the impact of burnout, and the lack of boundaries between personal and professional lives.

As we continue forward, it is time to accept that our existing assumptions and schemas for understanding how to secure and understand organizational assets and personnel may not work—and that we will need help from technology and analytics to learn how to interpret a new world with fewer boundaries.

One useful framework for interpreting the gap between how we believe people are working and using technology, and how they are actually working and using technology is Humanistic Systems Theory.  Right now, most organizations spend a lot of time thinking about what their employees are doing, and they spend a lot of time creating the rules and procedures that inform employees how to do their jobs. However, the reality of how people are working is often quite different. Take into consideration, in a recent study, 46% of participants said that they use Shadow IT to more easily perform job duties. This type of exposure and security risk is invisible to organizations who are not invested in understanding how people interact with technology, and what technology solutions are required for people to achieve their goals both quickly and securely.

Analytics provide a compelling avenue for bridging the gap between our fantasized vision of how people use technology to access and interact with critical corporate assets, and the messy reality that people are breaking rules and working around policies and procedures. Analytics can help organizations cope with discrepancies between people’s stated awareness of security requirements, and their actual behaviors.

While the Future Insights series is in the business of predicting the future, the truth is that no business can accurately predict the future when it comes to security threats. However, by deploying security analytics tools which can analyse security events at scale, it is possible to detect threats before they have a chance to negatively impact an organizations’ infrastructure.