People: Your secret weapons | BAE Systems | Cyber Security & Intelligence

This website uses cookies. By navigating around this site you consent to cookies being stored on your machine

Blog

People: Your secret weapons

People: Your secret weaponsAll too often, when a security breach occurs, the finger of blame can be pointed at an organisation’s own people. Carelessness, phished identity credentials or insider compromise – ‘Beware the enemy within’ – are all cried aloud. Those tasked with protecting the business now often focus heavily on the security risks that emanate from the (often-unwitting) actions of employees or trusted suppliers.
 
This is understandable, at a time when the barriers that keep any organisation safe from attack are often guarded by nothing but a single factor of authentication or even worse an open door of attack through known vulnerabilities; one weakness and the whole business can be breached. Added to that are the compromising actions of those outside the gates with privileged access within through 3rd party supplier relationships. The danger is that people per se come to be seen as the enemy.
 
It needn’t be like this. Think only of how enterprises of all sizes repeatedly identify their people as their greatest asset. The good news is that this can be readily applied to the roles they play in keeping the organisation safe by harnessing the volume and variety of all those people’s eyes, ears and experience as part of their security defences. The means to do so already exists and it’s called ‘People Centric Security’.
 

People Centric Security

 
Up until now, security has been largely about risks arising through use of information systems procured, managed and controlled by IT. But as more and more business processes are digitalised, risks are arising in a vast variety of systems – both purely digital and digital-physical – that are NOT managed or controlled by IT or any other single central function, so the security function needs to be de-centralised. This is where People Centric Security can help.
 
This clearly has implications for organisations with centralised security teams (typically homed in ‘IT’), but what about those who outsource some or all of their security functions to a managed service security provider (MSSP)? What might People Centric Security look like in this instance? First, it must be recognised that People Centric Security is a rare specialist service that is set to expand rapidly. And here’s why.
 
Today, most MSSPs provide centralised services, reporting events typically to a single central team for response, using detection capability managed centrally. In future, a more de-centralised, people-centric approach will see the MSSP interacting directly with risk owners right across the business. After all, who better to determine how to remediate and respond to a potential breach than the business owner of that risk?
 
So, where exactly does all this lead to? Well, if you expand on this concept and take it to the next level, you can start to see use cases where people act as additional sensors, assist with alert triage and incident response, and even provide some of the threat detection. (“If this document is seen anywhere outside this specified group, I want to know about it.”).
 
Over the past 20 to 30 years, organisations have come to rely on technology alone to reduce human risk. However, this approach has failed to fix the problem. People Centric Security offers a new way forward that leverages people with process and technology to form a triad of defence against evolving attacks.
 
Why not come and talk to BAE Systems about case studies that you might like to see in your business? 
 
Neal Watkins, Chief Product Officer March 9 2017