Ahead of Bruce Hallas’ keynote in London for Infosecurity 2018, they published a Q&A with Bruce Hallas where he provides thought, insight and advice into some key security topics trending at the moment. He also reveals the key takeaways that people should expect from attending his session next Tuesday.
Q: What do you feel is the biggest threat to information security currently?
A: The human factor is the biggest opportunity for improvement in information security today. While there are new cyber threats and security risks each day, the majority of incidents route causes relate to human behaviour. A recent Ponemon Institute report suggests that many CISOs consider a lack of competent staff or inadequate in-house expertise as the weakest point in their corporate armour – yet taking innovative new approaches to security training is only now starting to gather momentum. CISOs must adopt these new approaches and recognise that awareness alone is not enough. Influencing behaviour and embedding security into organisational culture must now become the end game.
Q: What can delegates expect to learn and hear about during your keynote?
A: I will be involved in the panel discussion: ‘from cyber-threat to cyber-ally: changing behaviour to drive a risk-aware culture’ and my focus will be on demonstrating how organisations ensure people become their best security defenders – and this means a fundamental shift in how we think about the human factor. Most education awareness programmes are designed on flawed assumptions and an incomplete understanding of what makes humans behave the way we do. Instead, by re-thinking the human factor, organisations can transform organisation-wide behaviour and bring about demonstrable cultural change by incorporating behavioural and cultural insights.
What advice do you have for practitioners building a strategy to defend against the threats of today and tomorrow?
A: For any security strategy to be effective, it must go beyond technology, policies and processes. Today’s practitioners must look beyond traditional education awareness campaigns, which time and again have been proven to have limited impact. They must consider how they can go about re-thinking the human factor by influencing employee behaviour and embedding security into the core of their culture – stretching across geographical boundaries. If good habits are instilled through carefully crafted, motivation-based, training, or design of policy and processes, they can be maintained and carried forward – and without ever-greater expenditure on technology to boot.
Q: The revelations about Facebook and the misuse of their user data have made headlines.
What would you say is the main learning point to take-away from the incident?
A: The Facebook / Cambridge Analytica story is certainly an interesting one when considered from a behavioural influence point of view. The alleged use of data being analysed and then used to influence the outcomes of elections, both in the US and in the UK is a demonstration of influence successfully being used – but in a negative way. For organisations wanting to create positive change to their security culture, influencing behaviours and culture is the powerful tool that can successfully create that change.
Q: What are we, as an industry, doing right?
A: I think we’re starting now to take the role of behaviour and culture insights much more seriously in managing information security risk. Not only is it being considered as part of the effective design of education and awareness programmes but it also has, we would argue, a role to play in designing better security controls.
Q: What one piece of advice would you give to someone who is entering the information security profession?
A: The role of the information security professional is becoming far broader than technology, processes and policies. For someone entering the profession today, it’s essential that they understand the power and potential of people – employees and stakeholders – across the business in helping them create and sustain a culture of security that will mitigate risk. We’re seeing people with varied backgrounds being appointed to information security backgrounds now – from communications to HR and marketing to behavioural scientists because they have the skills to engage employees and influence the human factor.
Q: What are you hoping to see/do/hear about at Infosecurity Europe 2018?
A: I’m looking forward to the discussion and debate at this year’s show – it’s hard to recall a time when data privacy and information security has been so top of mind for so many people, regardless of their walk of life. It’ll also be interesting to learn about how organisations have been preparing for the new GDPR as well as other regulations. I’m excited for the event this year!