Imagine sitting at the end of a fishing pier staring at the ocean on a fine summer afternoon with hardly a breeze in the air. The sea is flat and quiet while you hear the lapping of waves on the beach. You know that beneath that calm surface might well be sharks, jellyfish, eels, manta rays, the Atacama Snailfish, or any number of predators. The sea might look quiet but it is anything but.
The same could be said for an IT security staffer as he or she looks out over a calm and quiet office while all the time knowing hidden just outside its network are cybercriminals, hackers, and script kiddies who are trying to force their destructive ways on a company’s critical business systems.
For IT security teams, that constant battle is made even more difficult because no one knows for sure what type of attacks will be next, meaning security workers have to be ready for anything at any time. Like the Atacama Snailfish, apparently an ancient predator that was only recently discovered nearly 27,000 feet deep on the floor of the Pacific Ocean, cyber predators have a knack for keeping themselves well hidden, only coming into the light if they are identified accidentally.
CISOs and security teams use many types of cyberdefenses, ranging from antivirus and antimalware to threat prevention software; identity and access management software to security appliances such as firewalls, universal threat management systems, and gateways; to a plethora of other hardware and software tools. But with new attack vectors being unveiled by the bad guys all the time, IT security leaders must always be thinking and looking ahead for the next potential security vulnerabilities and attack targets so they can prevent or minimize successful attacks against their businesses.
Not everything in IT security involves hardware and software, notes Steven Durbin, the managing director of the London-based Information Security Forum (ISF), an independent, non-profit global authority on cybersecurity and risk management.
Anticipating tomorrow’s IT security attacks also means understanding human behavior in the workplace, says Durbin. “We know that IT security guys are always trying to just keep the wheels on to keep things going. I think they’re relatively okay with being able to deal with it provided they can anticipate it. The piece they’re not so good at involves the people-centric area, the humancentric security needs. It’s really about trying to understand how people act, respond, and behave.”
In that case, what is needed is a new approach for IT — understanding more about the psychology of their users, says Durbin. That means educating users so they do not continue to click on phishing emails from people they do not know and other common security gaffs, despite constant lectures about avoiding such behaviors.
“That is the root, the really challenging piece, because those skill sets are not natural for an IT security guy or for the CISO,” says Durbin. “Some of the smarter organizations I’m aware of are doing things like hiring psychologists to help them understand how users react and to get a better handle on what might be implemented from a security standpoint in order to get a better level of acceptance from the user community,” he notes.