Why cyber security must shift focus to user experience

With the threat landscape expanding, cybercriminals are as entrepreneurial as ever, with access to increasingly sophisticated tools and technologies. In this fluid environment, cyber security is no longer just about prevention, but a shared responsibility model, owned by everyone.

Cyber security is no longer a matter of telling people what they can’t do, it’s about focusing on enabling a better user experience, with security leaders becoming “influencers” rather than “enforcers”.

Zero trust and the role of automation

Our latest report, Cyber security considerations 2022, identifies a growing demand for a frictionless experience, unencumbered by ever-changing passwords and multiple layers of digital identification. A zero-trust mindset and architecture, with identity and access management the key to enabling this.

Older methods of identity and security are not sufficient for increasingly distributed workforces, where organisations interact with extended ecosystems of third-party partners, contractors, and gig workers. All these people require different levels of access to sensitive corporate data. Unfortunately, a lack of purpose-built processes for these constituencies often results in significant breaches in the security chain.

Instead, zero trust is a concept of “trust nothing, verify everything”. It essentially requires all users, within or outside a network, to be continuously authenticated, authorised and validated. Only confirmed-safe users, systems and processes are then granted access to data and applications. Zero trust is managed through and automated approach that can help eliminate costly and cumbersome manual processes, reduce an environment’s attack surface and establish fit-for- purpose cyber policies and principles.

Enabling a zero trust approach: the principle of least priviledge

The principle of least privilege is perhaps one of the simplest ideas relating to the way data is protected, but it’s also one of the most important. The general idea is users, processes, workloads, and applications should only be granted the lowest degree of system resource access rights necessary to carry out their role. For example, web designers don’t need access to financial records, and individuals responsible for updating product listings don’t need admin rights. Organisations should continue to view the least-privilege access principle as a core element of the zero-trust model.

To adopt a zero trust approach, there are key actions organisations should consider. First, experiment or begin to have a strategy around access with a password authentication for selected use cases. Be sure your identity program has a sound data and analytics foundation and embed a zero-trust mindset into your overall cyber strategy.

Security leaders should commit to a frictionless experience by streamlining authentication and identity management. Security functionality can be automated to enable highly skilled professionals to focus on more strategic activities. Above all, organisations should be aware that adopting a zero-trust approach is a journey — it takes time to implement.

Security automation: a competitive advantage

Cyber security teams are overwhelmed by ever-growing workloads. To address this, organisations are trying to ease the pressure and free up resources by applying automation to routine, repetitive tasks. Work previously performed by highly trained professionals, such as vulnerability scanning, log analysis and compliance is being standardised and automatically executed. This can boost the analyst’s productivity, speed up incident detection and reaction times and provide an opportunity for scalability. Tasks can be prioritised more effectively, with quicker responses to threats that require human intervention.

In situations where data sets are too large or complex for direct analysis, automation is particularly valuable. It’s being applied in many sectors to discover hard-to-identify links and patterns. Automation also helps with tasks that benefit from increased speed, such as identifying security incidents in voluminous log data, and performing high-volume data discovery, where analysing individual files is often inefficient.

To harness the full potential of automation, organisations should take a proactive approach by focusing on threats instead of incidents. Mundane tasks should be automated to free up human capital and cognitive ability for more important activities. At the same time, it’s important to keep it simple. There’s no point over-engineering solutions or acquiring automation tools that don’t fit the problem or lead to business value for the firm.

A shared responsibility

The hyperconnected smart society will likely face increased cyber risks on multiple global fronts via evolving threats. Clearly, the technological advances powering business, communications and entertainment bring with them new perils. In a post-pandemic business setting in which many, if not most, workers are remote, interim fixes and temporary Band-Aids will likely prove to be unable to keep up with the pace and virulence of cyberattacks and threats already bombarding businesses and government agencies.

The CISO and their team can’t ensure cyber resilience on their own. It must become an organisation-wide effort with buy-in and active support from senior management, finance, marketing, and other stakeholders. There’s an interesting dynamic developing, particularly in Europe, where roles — CISOs, Chief Risk Officers (CROs), Chief Data Officers (CDOs) — are evolving toward what might be referred to as a Chief Digital Resilience Officer, which entails a broader agenda of shared security, technology risk and business continuity priorities.

Whether it’s advanced persistent threats, ransomware, backdoor attacks, or something we are yet to see, there will always be new perils to contend with. But if CISOs and their teams adhere to a disciplined set of principles designed with the organisation’s key objectives in mind, and if the plan is up to date and flexible, they can position the organisation to mitigate the impact of cyber events.

Share

Add a comment