SAN FRANCISCO—Some people see humans as the weak link in cyber-security; others see humans as the strongest link. Mary O’Brien, general manager of IBM Security, however, sees humans as both, sitting at the core of what is needed to enable improved cyber-security outcomes.
O’Brien is delivering a keynote at RSA Conference 2019 here today along with Caleb Barlow, vice president, IBM Security, X-Force Threat Intelligence, on how organizations can change their approach to improve cyber-security. A primary element of how that change can happen is education. In a video interview with eWEEK, O’Brien explains what organizations can and should be doing to educate employees about cyber-security and how to reduce risk. O’Brien said there is a need for the cyber-security industry to pivot toward a very agile way of thinking.
“This is agile where we pivot the security industry to be about more than just technology and to be about more than just creating the next tool for next technical problem,” she said.
O’Brien wants organizations to embrace diversity of thought and collaboration to enable staff to feel empowered. She also emphasized the need to infuse security into people, process and technology. Cyber-security awareness should be pervasive throughout an organization, starting from the person at the reception desk, who needs to understand what the risk is of someone getting past them who should not have access to the company.
“Security isn’t just the purview of the security team,” she said.
One common theme that emerges from technical experts is a need to have security by default integrated into technology. While the idea of having security by default is a good one for process, when the human element is added in, there is added complexity.
“The randomness of human interaction is where security by default would break down,” O’Brien said.
According to O’Brien, the answer to reducing risk is improving education, which can be done in a number of ways. IBM Security runs what are known as cyber-ranges where in-depth exercises, education and training are offered. She said that proper education helps organizations really consider the security of their entire environment.
“You can actually, through continuous education, push the boundary of your security program right out to the periphery of your organization, so that everyone understands they have a part to play,” O’Brien said.
The Human Link
O’Brien said security programs will always involve technology, but it’s important for organizations to be prepared for adversaries that will look for ways to bypass security technology.
The weak link could be a technical weak link, it could be a person using the technology, or it could be somewhere surrounding the enterprise where the technology is running. In any of those scenarios, she emphasized that humans are a critical link to improving security.
Watch the full video with Mary O’Brien above.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.