Speaker Ira Winkler,
Designation: President of Secure Mentem
Topic: Stopping Stupid: How to Stop User Error
Date of Webinar: 29th Sep, 2020
Time and Location: 10:30 am EDT/ 08:00 pm IST/ 03:30 pm BST
Ira Winkler, CISSP, is President of Secure Mentem and author of Advanced Persistent Security and the forthcoming ‘You Can Stop Stupid.’ He is considered one of the world’s most influential security professionals and has been named a ‘Modern Day James Bond’ by the media. He did this by performing espionage simulations, where he physically and technically broke into some of the largest companies in the world and investigated crimes against them, telling them how to protect their information and computer infrastructure cost-effectively. He continues to perform these espionage simulations, as well as assisting organizations in developing a cost-effective security program.
Ira also won the Hall of Fame award from the Information Systems Security Association, as well as several other prestigious industry awards. Most recently, CSO Magazine named Ira a CSO Compass Award winner as The Awareness Crusader.
Topic Abstract:
Security professionals adopted the expression or sentiment, “You can’t stop stupid.” The reason is that they believe no matter what they do, a user will still be able to bypass their best security efforts. In practice, they seem to be correct. This is a gross failure of their security programs, as users are an embedded part of an organization. The problem is that even though “stupid” is expected, security professionals haven’t changed their methods to mitigate it. As a result, we have single events, creating hundreds of millions of dollars in losses, with billions in loss overall.
The failure to “stop stupid” means users are the primary attack vector for the most damaging attacks. Attackers keep advancing their techniques, as organizations continue to rely on awareness for thwarting sophisticated criminals, nation-states, and sociopaths. Independently, security teams buy products. Policy teams write policies that get put on the shelf. The scale of the resulting losses is unacceptable in any other field responsible for preventing financial loss. More important, awareness does nothing to prevent malicious actions, which accounts for 28% of losses.
Cybersecurity programs need to stop relying on independent tactics and adopt strategies from military, counterterrorism, accounting, and safety sciences. Awareness is just a tactic that, while a form of risk reduction, will fail and must be part of an overall strategy that accounts for imperfect tactics. This presentation discusses applying strategies such as “Left of Boom” and “Right of Boom” from counterterrorism, creating an environment that removes the possibility of mistakes from safety science, and accounting processes that proactively detect and mitigate fraud to address the human problem. Stupid can be stopped through the application of a strategy, instead of random tactics.
Key Takeaways:
- User error is only a symptom of the problem within your security program.
- Awareness is a valuable tool, but it is only a part of the solution
- Adopting safety science and counterterrorism methods to stop the damage caused by user actions.
*Examples, analysis, views and opinion shared by the speakers are personal and not endorsed by EC-Council or their respective employer(s)