My work in cybersecurity has always been focused on the human side of the field. For me personally, this has meant a great diversity of work, from helping organizations understand where their vulnerabilities lie and how to mitigate against them, to awareness-raising training and helping to shape the communication of key messages both within organizations and to customers and clients.
Over the course of the last few years, it’s been hugely gratifying to see interest in the human side of cybersecurity grow. When I first started speaking at UK cybersecurity community conferences about four years ago, I felt like something of an outsider talking to very technology-focused audiences about sociology and psychology. More recently, interest in the human side of cybersecurity has exploded. A few weeks ago, the UK’s National Cyber Security Centre held the government’s flagship cybersecurity event with a core theme of ‘People are the Strongest Link.’
As much as the cybersecurity industry is catching up with the fact that this discipline is about people as much as it is about technology, we still have a long way to go. Almost two decades ago, Bruce Schneier popularized the phrase ‘people, process and technology’ but, as an industry, we still focus much more heavily on technology.
Most people will label humans as the weakest link in cybersecurity and, although awareness of cybersecurity issues is probably higher than ever, we are not seeing much progress when it comes to changing behaviours. Although we recognize how difficult it is to make progress with the human side of cybersecurity, it often seems that expertise in the human factors is still not valued by the industry as highly as technical expertise. This is obvious even by how we refer to the skill set: I’ve been described as an expert in ‘soft, pink, fluffy’ cybersecurity more times than I care to remember.
Many people also seem to be under the illusion that the human side of cybersecurity is only about awareness-raising and stopping people from becoming victims of phishing emails and social engineering attacks. This would be as accurate as saying a pen tester looks only for XSS vulnerabilities.
The human side of cybersecurity covers not just awareness, but also behaviour and culture, too. It is about how people conceive of threats and what motivates people to act maliciously; it is about understanding and acting on an individual, organizational and societal level, and much more.
The immaturity of the human side of cybersecurity can be most strongly felt by those who wish to develop a career specializing in the area. As much as certifications can be a problem in the industry, at least there are a number of certifications available for the technical elements of the discipline. There are now a few MBAs available in the UK that focus on cybersecurity, but pathways into the industry for people who are more focused on the human dimensions of cybersecurity still remain very underdeveloped. We talk about the skills gap and the need for more diversity of experience in the industry, but if we are to attract people with expertise in disciplines such as sociology and psychology, we need to make routes into the industry available. Nurturing greater expertise in the human nature of cybersecurity will make us all stronger.