The Human Firewall: Rethinking Security Awareness and Training
Cybersecurity awareness has become a significant concern for organizations worldwide as cyber-attacks continue to increase in frequency and sophistication. In a recent LinkedIn post, we shared a link to a video by Wallmart CISO, Ira Winkler, author of 'Security Awareness for Dummies' and 'You Can Stop Stupid', where he offers a fresh perspective on cybersecurity awareness and training. In this blog post, we will explore Winkler's insights and discuss how organizations can shift their approach to cybersecurity to better protect their systems and users.
"Building a safer cyber world: just as cars need car rails, so does your data."
Redefining Security Awareness
Winkler emphasizes that security awareness should focus on stopping user-initiated loss, which means minimizing the potential for human error rather than attempting to eliminate human stupidity. As he puts it, if the end-user is considered our last line of defense, the cybersecurity industry has failed.
The Human Firewall Myth
The concept of a human firewall suggests that users should be responsible for preventing cyber-attacks. However, Winkler argues that relying on humans as the last line of defense is a flawed approach. Instead of expecting users to spot hackers, the
Taking Lessons from Safety Science
Winkler recommends that the cybersecurity industry should learn from safety science, which has been reducing losses from system failures for decades. Safety science does not rely solely on humans; instead, it emphasizes creating an environment that minimizes harm.
Creating a Safer Environment
To create a safer environment in the context of cybersecurity, Winkler suggests several strategies:
- Prevent users from being in a position of loss
- Remove certain decision-making abilities from users, such as automatically expiring externally shared documents over time
- Create a culture where people willingly use tools like password managers to share username and password information securely
Rethinking Governance, Procedures, and Guidelines
Winkler argues that governance should go beyond merely having policies that are only reviewed when auditors come knocking. Instead, organizations should establish procedures and guidelines that provide users with step-by-step instructions on how to do things right.
Conclusion
Ira Winkler's thought-provoking talk on cybersecurity awareness and training challenges the status quo in the industry. By shifting the focus from eliminating human stupidity to minimizing user-initiated loss, organizations can create a safer environment that reduces the likelihood of cyber-attacks. Learning from safety science, rethinking governance, and implementing practical procedures and guidelines will help organizations achieve a more effective and secure approach to cybersecurity.