Recently I gave a talk to a local university students about cyber survivability. At the end of the session, it’s Q&A. One of the students asked “There are lots of challenges in the cyber space. Among them, what’s the most serious challenges that you have met?”.
I told them people is the serious challenge. Decades ago, the human aspect is considered as the weakest link in cybersecurity. Over times, this remains. It’s just a matter the focus has shifted.
Now, general users are well aware of cyber deception in the cyber space like phishing and scam, be cautious of unknown requests and things too good to be true. Why is the human aspect still applied? It’s about the cybersecurity practitioners.
They are supposed the leader in cybersecurity of an organization. They are hired to provide professional judgment in enabling a secure business environment, steer in the right direction. The cyber space is dynamic. It needs to have frequent upkeeping the domain knowledge to guide and lead the business. Never opt for 100% security or else the cyber protection will impose adverse effects either to complicate the business process or lose buy-in from business users.
They must understand the business model of the organization, the changing business environment, the top risks in the current threat landscape. Adjust written directives to fit for the dynamic situation. Address the top risks of adverse business consequence in a risk-balanced approach because resources are always limited. Don’t add unnecessary controls because new controls will also incur new vulnerability, new administrative overheads to sustain the effectiveness.
Cybersecurity practitioners must also demonstrate competency thru accreditation to fit the job. Think about the driver of vehicle. If the driver is incompetent, fatality might be resulted.