LevelBlue CIO on Importance of the Human Element in Security

Technology is often a primary scapegoat for security breaches, and that’s often a key factor in unraveling even the strongest systems. However, the channel’s weakest link for security is people more often than not.

These days, cybersecurity is no longer solely a technical discipline; a renewed focus on people is required for security posture in the era of AI.

In a conversation with Maria Cardow, CIO of LevelBlue, we discussed the psychology of human behavior within organizations and how traditional security models can fail to account for insider risk, such as shadow AI.

Underestimating the human element

The industry has a habit of underestimating people as a significant attack surface in cybersecurity posture. 

According to Cardow, this is a reality that many organizations aren’t necessarily emphasizing as much as they should.

“When you’re talking about people, I think technologists find human behavior somewhat confounding,” Cardow said. “We tell people: ‘don’t click on that link,’ but then you get an email that says it’s really important and you have to click on that link, and people click on that link. The attack surface is largely people, and I think that is a difficult problem to solve.”

Cardow says it’s never going to have the cleanest solution and won’t be as simple as flipping a switch off and then flipping it back on when everything’s running again.

“When you add humans to the loop– which again you definitely should, we like having humans in the loop– you’re creating a larger variety of options, and it is much more difficult to do a root cause analysis when the root is a person,” said Cardow.

When a human is involved, it means understanding what they were thinking and the impulses behind those movements. It’s more complex to interview people, understand them, and predict what they’re doing and why.

Principles for leaders and why addressing shadow AI is crucial

Leaders first need to understand that technology and security problems have human solutions. Ensuring that you’re building your architecture with the understanding that you’re not protecting bits and bytes; you’re protecting people.

“That sounds very obvious, but it is something that gets overlooked in a lot of technology and security strategies,” Cardow explains. “In an organization that is aligning itself to this, it’s incredibly important that you’ve got people getting together increasingly virtually to take a look at problems from the earliest perspective. One of the things that has just recently come up is we’re taking a look at some architecture changes as early on as possible. We have folks from the security side of the house in there thinking about architecture decisions, not from an approval perspective, but from a planning and design perspective.”

Cardow says that the earlier you can have people thinking about architecture and security together, the more likely you are to come up with ways to integrate security earlier in the process.

“I find that a lot of organizations do understand that they need to integrate security all along their value proposition, but they still think of it at the end,” says Cardow.

When it comes to shadow AI, leaders must first acknowledge that there is a problem, then put themselves in their staff’s shoes to understand why they’re using it.

Generally, people are using shadow AI because the tools being provided are not fit for purpose, which fundamentally says you’re not actually thinking about your staff’s needs.

“Why does someone go ahead and bring up ChatGPT on their phone? It’s because you’re not allowing them to engage in some tools that are very much in line with your security posture, but you’ve bypassed this method by forcing them to go outside, use their cell phone, use their personal laptop to engage in your business in a way that you’re not approving,” said Cardow. “Many of the actual activities that folks are looking to do are things that would be well-approved if you ensured that they had the correct tools.”

Human-centric cybersecurity leadership is the way forward

According to Cardow, cybersecurity practices and processes should align with your business values. Still, your people also need to align with those values and with how they are working to achieve goals.

“It’s a very nested egg situation here. By making sure that you understand what your people are doing, how are they actually executing their work, and what are the tools that they need to do,” said Cardow. “Then, you can make sure that you’re providing the security and the services that they need and that will make you safe.”

Cardow adds that by understanding their concerns, you can start to see where the gaps will be. Shadow AI is a gaping hole in the industry, and any reasonable organization should be concerned about it and try to understand where they are leaving themselves open to risk.

LevelBlue is an organization that, in general, is fascinated by systems and technology, as it’s how they make their living, Cardow mentions.

“Remember that these things exist inside of the organizations that are filled with people,” said Cardow. “Our clients are people. It’s still incredibly important to us, and making sure that we are calculating with the understanding that we’ve got to keep the human element engaged. I think sometimes we run right past that notion as we’re executing. Humans are still the last, most important linchpin in security, and we need to keep that pretty clearly in line of sight as we try to make sure that our organizations are safe,” said Cardow.

According to LevelBlue, new research points to a lack of visibility into the software ecosystem and third-party challenges. Read more from the report to learn about how to manage third-party threats.