Useless or Userless? – A CISO’s Nightmare


Armadillo, 14 Feb, 2019

If you are in the cyber security industry and enjoy the new annual ‘fad’, which over the last decade has evolved into the new monthly ‘fad’ as consumerism takes over the market, you would have come to the epiphany that the biggest cyber security issue is the user!

Forget old windows machines and unpatched servers, it is now ‘Dave’ you must fill with cyber security intelligence, and sadly there is not a technology in the world that can replace Dave… yet (for those “I Robot” fans out there)!

So the question is how do you do this…? Do you make Dave trudge through seven layers of authentication whilst a big brother-esque IAM solution is keeping a watchful eye and questioning everything he does? This is the ‘zero trust’ model that makes everything ok until you realise your business is running at 50% efficiency because no one can do the most remedial of tasks such as logging into their emails in the morning.

Or do you put your employees through hours and hours of security awareness training? In which they are probably taking in 10% of it, as the meme on their Instagram seems more important to an office worker than being liable for taking down the organisation who pays them a living.

Neither seem like the perfect solution to me…

As with anything in Cyber Security there is sadly not a silver bullet nor a way in which your business can work to 100% productivity and be completely secure against cyber-attack. Working with a lot of CISO’s the ongoing battle they face is security vs. productivity which is usually driven at board level. They are forever being asked to put in place services that work for their employee’s and make their job as easy as it can be, however it seems doing this always brings security risks that staff outside of IT turn a blind eye to until that fateful day they get hacked.

To add to the confusion, consumerism has bought us to the point where there are countless vendors talking to the CISO everyday with the “answer”, which one do you choose? How do you know which one to choose?

I am not a CISO, but I have been in many rooms during this kind of discussion. From my experience the best people to listen/talk to are those who can have this whole conversation without a technology/vendor crossing their lips. Someone who looks at the business problem, looks at the IT departments take on it and finds a solution that isn’t ‘top right in Gartner’ or ‘used by the 8 out 10 top law firms’, but the solution that is bespoke to the issue this company are facing and supports every business unit in doing so.

I bet you are expecting this to end with me saying I have the “answer” and I am the person you should speak to… This is not the case. I am merely making an observation from my experience in the industry and hoping that we stop spiralling down the rabbit hole of consumerism. Organisations are continuing to spend money on the newest technology just to feel the need to upgrade to “Gen 2” in 6 months, without understanding the part it is playing in their business, and probably just buying the product because of a clever marketing ploy.

What I have found is that the companies who have seemed a lot more conscious in why they are buying the security technology they are, are the organisations who put more effort into a security strategy. Don’t get this confused with annual budgeting, this is not a strategy. A strategy is sitting down and working your way back from your business’ vision/mission statement and making sure you are working towards that in a secure manner. This isn’t a CISO sitting on their own, this is a CISO talking to everyone relevant, making sure everyone who works for them or with them are singing from the same hymn sheet, and understand why they are putting certain controls in.

When Dave needs to go through his authentication procedure (hopefully not several times), he will be a lot happier doing it if he understood the risks of not doing it.

Always up for a chat and to share thoughts with like-minded people, if you have any questions or would just like to ‘vent’ to someone I am always happy to give my ears. Just drop me an email here, or give me a call on 07391 496 023.

Written by: Nick Trott, Client Manager at Armadillo.