Human-Centered Cybersecurity Part 2: Zero Trust

There is a saying in cybersecurity that the human element is the greatest vulnerability, but that statement does not provide context for the scope of the opportunity to leverage the human element to mitigate cyber risk. Information security officers have begun to adopt the language of risk management in response to the growing threat. One of the hottest trends in cybersecurity is the adoption of a Zero Trust posture. This was discussed in earlier chapters but is noteworthy now not as a pillar in the cognitive risk framework but as context from what else is needed to ensure the Zero Trust methodology works as expected. Zero Trust and the cognitive risk framework share concepts that are important and diverge where there are gaps. Zero Trust is a long-term, transformational commitment.

Zero Trust requires organizations to re-architect how information security is conducted. The third pillar of a human-centered framework is focused on re-architecting how people interact with technology.  Both are radical changes in how traditional security is implemented and both rely on people executing the re-architecture of systems and people in new ways. Both must reflect the fluidity of business operations and be responsive to change as well as recognize that progress is incremental, not a plug and play with a new app or new policy and procedure. Both require a radical change in mindset in the CISO suite and with management.

Prescribing Zero Trust

Zero Trust is prescriptive, meaning there is a great deal of guidance provided by N.I.S.T., the National Institute of Standards and Technology. The third pillar of a human-centered framework is not prescriptive, it is based on assessing the risk probabilities of threats and vectors where the intersection of humans and technology poses the greatest risk. A human-centered framework recognizes the lack of high-quality actionable pools of data to make accurate assessments but like Zero Trust, following the Zero Trust guidance takes time to develop and does not guarantee success. Both practices require exploration of what works in a specific operating environment and anticipate learning best practices over time as opposed to implementing one-time solutions. The sources include guidance from NIST 800-207: Zero Trust Architecture, DoD’s Zero Trust Reference Architecture, NSA’s Embracing a Zero Trust Security Model, CISA’s Zero Trust Maturity Model, CISA’s and NSA’s 5G Cloud Security, and OMB’s Federal Zero Trust Strategy.

Zero Trust requires a well-articulated implementation plan that defines the scope of the change and what will be covered. This is not a technology product approach, Zero Trust is a mind shift in security just as a human-centered framework changes how security professionals must consider the roles of people, including security professionals, trust in access to critical data, new approaches to identify and authenticate users who are authorized to conduct business and validate who has authority to make changes. Again, the key difference is in a focus on technology versus a focus on people, but both are needed and the exclusion of one is a detriment to the success of the other approach.

Zero Trust Proposes a Five-Step Process:

(variations may apply)

1. Define your protest surface.
2. Map the transaction flows.
3. Build a Zero Trust architecture.
4. Create a Zero Trust policy.
5. Monitor and maintain the network.

Zero Trust doesn’t specifically say this, but it relies on the execution of human actors to successfully execute and Zero Trust environment. The third pillar of a cognitive risk framework is designed to enable human performance in building Zero Trust.

Zero Trust must be aligned with compliance requirements. A human-centered framework is not based on compliance but anticipates compliance requirements without stringent adoption. This is because compliance standards and the adoption of compliance standards must align with mitigating risk and avoidance of hindrance in human performance. Flexibility in compliance, instead of rigidity, is a core element of cognitive controls in a cognitive risk framework. Over-reliance of compliance is a double-edged sword that must allow for good judgment and risk-based data analysis. The final three Zero Trust principles, shared services in Zero Trust, cloud-based use for Zero Trust implementation and identity management, also depends on a robust cognitive risk approach.

Zero Trust assumes that all organizations have the requisite skills, capabilities, expertise and experience to develop and implement Zero Trust architecture at the same level of proficiency. That is the risk of Zero Trust. A human-centered framework assumes that the organization must prepare not only its security staff but all other personnel beyond security for a Zero Trust environment to operate as effectively as expected. This is the vulnerability that cyber researchers refer to when they call the human element the greatest vulnerability in cybersecurity.

The Human Element, Risky?

Almost all organizations underestimate the effort of big transformational technology projects and especially ones related to information security. It is human nature to take people for granted in complex projects. However, there is sufficient research and data to demonstrate that we must harden people for change as well as the infrastructure of the operating environment. Yet, each time this step is short-changed as organizations rush ahead without conducting an assessment of the human element impacts in change. Organizations often overlook the human element but those that are attuned to these risks view it in the narrowest of forms, the insider threat. The reality is information security officers have bought into the “Snowden Effect”, based on confirmation bias but lacking a full understanding of the influence factors that cause human error and mistakes, the larger component of the human element risk.

The disconnect between the novice and the expert is how “noise” and “bias” is treated in risk analysis and how subjective risk analysis leads cybersecurity professional astray. A big part of the problem is a risk communications problem as well. Terms like the insider threat, have been adopted without robust definitions or quantifiable characteristics. Different people define the insider threat differently and that is a big part of the confusion and gap in how to mitigate the problem. There is a saying, “if you don’t trust your people, they become untrustworthy.” That saying rings true in the insider threat anecdotal use of the term. When terms like the insider threat is used to describe all human element risks, you have defeated the purpose of the definition. Humans are not one-dimensional and neither are the errors they make. More definition and detail is needed to assess the risk of the human element.

The third pillar of a human-centered framework explains the broad scope of the human element risk in cybersecurity and enterprise risk. An organization of 10,000 employees does not operate in lockstep no matter how well-intended they all are. The reality is that each person is an individual with strengths and weaknesses in performing their jobs on any given day. The expectation of zero risk is a fallacy in assuming risk can be avoided even in a Zero Trust environment. In reality, the goal should be to minimize the impact of risks that occur over time.

When organizations fail to accurately define risks, like the insider threat, they will fail to define the solution needed to address this vulnerability. This is why technology vendors who sell behavioral analytics platforms have not been effective at mitigating the human element. Behavioral analytics platforms can be gamed once everyone learns the system’s blind spots and weaknesses. Single point solutions implemented without a holistic plan is contributing to vulnerability instead of addressing it.

Zero Trust, cybersecurity, information security and enterprise risk management all depend on the same thing, the human element. Yet, the failure is not technology, per se. The real failure is the misdiagnosis of the role of the human actor in the execution of risk governance writ large. Cybersecurity and enterprise risk suffer from the same errors in judgment. The errors include a lack of rigor in risk assessment of asymmetric risks. You can’t address asymmetric risks with subjective risk assessments. Color-coded risk matrices are subjective risk assessments. High, medium and low are subjective risk assessments. Subject matter expert opinions are subjective risk assessments. Subjective risk assessments are effective at socializing with other executives their perceptions of risk, but the process is not predictive of risk. That is the difference!

Imagine addressing the Covid-19 pandemic with the collective opinions of uninformed professionals with little to no experience in infectious disease? Why do we think that subjective perceptions of risk will be more effective? Risk assessments are not perfect, however, there are processes that possess the rigor needed to make more informed decisions not being used by cybersecurity professionals. Instead of using traditional risk practice as “best practice”, use statistical analytics, data science, build models with internal and external data, game theory and hire or develop risk analysts. Cyber risk analytics should not be thought of as a platform that you buy but as a discipline, you must develop in-house.

Skill Sets Vary, Yet Coincide

The same skills needed to solve life-saving problems in medicine, healthcare, science and space travel are the same skills needed to understand the complexity of technology in modern organizations with networks in, across and beyond the four walls of the enterprise. The best cyber adversaries are computer scientists and mathematicians, not hackers, and they design the products that are sold to novice hackers on the dark web. To compete with top talent in cyberspace you need to hire or develop top talent in diverse, multidisciplinary disciplines in information security and network architecture.

When Wall Street needed the talent to manage complex trading risks, they hired Ph.D. physicists and mathematicians. They didn’t ask a subject matter expert what they thought. Physicists with programming skills and the math ability to advance the science of trading. Computer scientists and network engineers are the new skill sets needed to address the challenges of modern cybersecurity. A small team of physicists, computer scientists, network engineers and human factor experts will be needed as the cost of cyber losses continues to mount.

Protecting the enterprise is as important as generating revenue and in many cases, leveraging these skill sets will allow forward-looking firms the ability to create new opportunities and products that will compete with adversarial talent. This talent must be developed in-house and nurtured so that a baseline knowledge base is developed across industries with spinoffs and startups that assist smaller organizations.

A human-centered framework is about learning what you do not know or may not fully understand about risk. I am an advocate of Zero Trust concepts and methodology, but the cybersecurity industry must be honest about its ability to build robust Zero Trust capability at the high levels of expectation assumed in the guidance. The risk to Zero Trust adherents is the failure of firms with Zero Trust methodology if severe breaches are still rampant. Zero Trust is one of many approaches that will be relevant, but standards of excellence must be established based on evidence-based outcomes. A cognitive risk framework is a vehicle for development and experimentation (skunkworks). A skunkworks project is a project developed by a relatively small and loosely structured group of people who research and develop a project primarily for the sake of radical innovation.

What is the role of the board and senior executives in supporting the way forward?

The framework is simple: Board of Directors & Senior Executives

1. Define the risk profile of your cybersecurity and enterprise risk program.
2. Conduct a gap analysis of skills and capability to mitigate risk.
3. Define the goal and objectives of cybersecurity and enterprise risk to help achieve the organization’s strategic objectives.
4. Develop a plan to close the gap.
5. Communicate the plan and get buy-in across the firm.
6. Assign accountability and responsibility to a small team with the requisite skills to execute the plan.
7. Have the team report to the board on progress.
8. Develop deliverables and expectations for the team.
9. Give the team 3 – 5 years to produce results.
10. Refine the process each year and expect results annually.
11. Stop expecting easy solutions with technology, but search for simple solutions with people.

The board of directors and senior executives are responsible for setting the strategic direction of the cybersecurity and enterprise risk team. The talent and team must be aligned with the risk profile of the organization. Early expectations must be centered around gaining insight into the vulnerabilities where the firm is fragile and strengths where the firm is robust. The team must assess channels of communication, governance processes, integration of technology and people, and external networks with customers, vendors, solution providers and provide a robust assessment of the gaps that exist in the first 18 months. The third year will pivot to remediation and enhancement. Each subsequent year will involve refinements and enhanced security processes.

Cybersecurity and enterprise risk need an upgrade from generalist to specialist status. This is a competition that will only become more intense as the digital operating environment accelerates and will be won with advanced practice, not subjective analysis. Organizations that see the future have already begun to make the transition to upgrade or to build the talent needed for competition in the 21^st century.