Global CISO Of OSI Group On Hacking Humans

People are often viewed as the weakest link in the security chain, which is made more challenging given a relentless and changing adversary. However, with a focus on the right strategy as well as conveying concise messaging in quantifiable business terms can help overcome this challenge. This is especially crucial as the adversary continues to modify attack vectors and leverage new technologies to improve their methodologies.

In fact, Michael Welch, Global CISO of OSI Group, says, “Humans are oftentimes looked at as the weakest link when it comes to cyber security – but it doesn’t have to be this way.” He believes that with the right tools and processes in place, security awareness training is a key part to achieving a mature security posture.

See Related: “6 Tips To Improve Security Awareness At Your Company”

Because the end user is considered the weakest link in the security chain ‘hacking humans’ is important in enterprise security because it is more than just training for compliance reasons. “You can put in the best technology but if the end user does not understand why and how they are a target, they are going to make a mistake,” Welch explains.

Changing Cyber Security Culture

While he notes that technology may mitigate some of that risk, “we have to change the behavior and that starts with changing the culture and making the end user part of the solution.” In other words, it is important to understand who you are training, and what you need to train them on, in order to be able to change the behavior and strengthen the security chain. Here is how you do it:

1. Change the equation and become a less likely target. You change the equation by engaging the end user. Our goal as security professionals is to listen to all levels of the business in order to engage and motivate everyone to be involved. With proper training, the end user can be the first and last line of defense. 
   
   
2. Leverage key human motivators to sustain behavioral changes. The adversary takes advantage of human nature and emotion in order to influence you to take action that, more than likely, is not in your best interest. As security professionals, our job is to make the end user aware of these types of attacks, provide examples on how they are initiated, and what to do in the event they disclosed information (or clicked on that link that says “Urgent” or “Important”).
   
   
3. Analyze end user needs: physiological, safety, esteem, belonging and potential ways to provide reinforcement. Reinforcement is provided by understanding and listening to each end user and making sure they understand they are not alone, and each end user has the opportunity to learn from events that occur. The hardest part is ongoing collaboration — it should not just be a compliance checkbox. The cyber security landscape changes on a daily basis and we can't do it alone. Our people represent our company brand and must feel empowered to be part of the solution.

See Related: “Driving A Cyber Security Culture Into The Business”

Michael Welch is the Global CISO of OSI Group, a privately held global supplier of custom value-added food products to leading foodservice and retail food brands. Welch provides vision and leadership for developing and supporting security initiatives and their overall alignment with the OSI business strategy.

He acts as an advocate and primary liaison for the OSI security vision with executives, department heads and end users. Welch works with business leaders and directs the planning and implementation of enterprise IT systems, business operations and facility defenses against security breaches and vulnerability issues. He also performs auditing of existing systems, building the compliance framework for the GDPR regulation, development of security policies, activities and standards, for both a proactive and reactive security posture.

See Related: “Security Advocacy: A Must for Today’s Enterprise”