Don’t spend all your security budget on technology

Richard Addiscott, Senior Director Analyst, Gartner alerts all the cybersecurity leaders in the region need to consider human-centric security approach, rather than spend all their budgets on acquiring new technologies 

Gartner forecasts end-user spending on security and risk management products and services in the Middle East and North Africa (MENA) region will increase 10% in 2023, to total $2.8 billion.

Cybersecurity leaders in MENA are expected to increase their spending in 2023 mainly because of an increased demand for technologies that secure remote work and hybrid environments, support digitization and cloud migration. While security budgets are increasing, it’s important that cybersecurity leaders do not spend it all on technology.

Consider the human element before earmarking your security investment budgets for more technical controls. It’s not the machine but human vulnerabilities that cause most cyberattacks — humans are long, but unfairly, regarded as the weakest link in an organization.

Furthermore, data breaches involving the human element is a telling statistic signaling to cybersecurity leaders that human behavior and the user experience need greater consideration. It also indicates that security programs founded on technology-centric investments are not delivering the full risk management outcomes expected.

Reduce risk to the organization
Phishing remains the primary mode of attack, but several other human activities contribute to a significant number of all data breaches, from system misconfiguration and data misuse or misdelivery, to weak credentials. These are all avoidable behaviors that must be addressed.

Employees know they’re being unsecure. Gartner research shows that over 90% of employees who admitted undertaking a range of unsecure actions during their work activities, knew that it would increase risk to the organization, yet undertook them anyway. The top reasons given were speed and convenience, as well as the perceived benefits outweighing perceived risks.

Then you have poorly designed controls that introduce more friction than benefit. Current security control investment and implementation are often done in a way that the people served by the controls see no benefit. In addition, the way controls are often implemented causes unintended operational friction for users. The combination of a lack of benefit and increased friction encourages employees to seek efficiencies through actions that are both unsecure and contrary to policy.

Wherever possible, it’s important to redesign controls that integrate seamlessly with the flow (and location) of work. Place greater emphasis on understanding how and where employees conduct day-to-day work and design controls that work with that workflow. A way to achieve this is to adopt human-centric security design practices into your strategic capabilities and operating practices.

Focus on the individual, not technology or threat
Gartner predicts that 50% of large enterprise chief information security officers (CISOs) will adopt human-centric security design practices by 2027 to minimize cybersecurity-induced friction and maximize control adoption.

Human-centric security design is modeled with the individual — not technology, threat or location – as the focus of control design and implementation. This approach allows for varied or multiple contexts according to the individual’s needs, both personal and operational, in achieving the desired business outcomes.

It could mean providing risk-appropriate, but more flexible, security control operation and user experiences; driving empathy-based security management considerate of situational factors; and enabling intentional collaboration with stakeholders during control design.

Minimize employee friction
Human-centric design improves security program ROI. No security program can be effective if employees actively seek to circumvent it. The essential ROI of human-centric design is that the cybersecurity program operates as intended with minimal friction with employee work programs.

The controls actually work. There are significant tangential benefits from injecting the security program with more human understanding — more understanding of threats and how humans make decisions about threats. By taking steps to better understand employees, you’re better able to influence their behavior.

Introducing this approach requires formalized and, most importantly, consistent end-user collaboration practices to be established into security initiatives. This represents a need to shift the way your team works, which will trigger changes in your organization’s security operating model.

Ensure empathy is listed as a critical employee attribute in recruitment efforts as a foundational enabler to ensuring the human, and their requirements, is at the heart of security control design, deployment and operation.

Adopting human-centric security design practices also requires cybersecurity teams to be involved in solution design and development. Invest in outreach to DevOps teams and business analysts on a continuous basis, with the intended secondary benefit of helping them improve their own risk-aware decision making as well as co-creating controls.

How to get started
First, define and reset security team expectations about the importance of the human element when evaluating, implementing and operating security controls. Then commence planning for and building security workforce capability, especially for customer/business-facing security functions, that employs empathy-driven, outcome-focused practices to enhance human and user interactions.

Once that is done, evaluate the existing security roadmap. Identify future security initiatives that are expected to result in a change to the way your organization’s employees will perform their work. Use this initiative to conduct a proof of concept or beachhead security project where human-centric design practices are deployed collaboratively with employees impacted by the initiative.

Security spending priorities and future trends will be discussed at the Gartner Security & Risk Management Summit 2023, February, 27-28 in Dubai, UAE.