Partner Perspectives  Connecting marketers to our tech communities.
12/15/2016
10:00 AM
Lynda Grindstaff
Lynda Grindstaff
Partner Perspectives
50%
50%

Are Unconscious Biases Weakening Your Security Posture?

Proactively addressing your biases can help you build a resilient and adaptable security foundation.

As we move from one year to the next, it is valuable to reflect on what has changed and what hasn’t in our areas of interest. In cybersecurity, there are two notable things that have not changed over the past year, and one that has changed significantly.

The two issues that have not changed much are the ongoing scarcity of experienced security personnel and the somewhat related issue of little diversity in the security workforce in most organizations, especially the low number of women.

Where cybersecurity has changed a lot in the past year is the rate of innovation -- by organizations and their adversaries -- as they strive to gain an advantage.

There have been a fair number of blogs, articles, and research papers on these topics, and my goal is not to rehash those. Instead, I’d like to explore these three items from the perspective of unconscious bias -- the quick decisions that we make automatically and often without real awareness.

On the scarcity of experienced security personnel, many people I’ve spoken with have an unconscious bias toward hiring people with undergraduate degrees in security and/or various security certifications. But there are lots of other qualified individuals out there, whether they are coming from non-degree programs or lack a security certificate -- many of whom may already be working at your company. Consider organizing hacking contests or using video games that contain a realistic hacking component to identify potential candidates and reduce this bias.

Another unconscious bias that can affect the security workforce shortage centers on automation. Again, many people I’ve spoken with are concerned about letting machines make decisions such as blocking access, killing processes, or deleting files, which are tedious but critical components of any set of cyber defenses. It is time to actively work to counter this bias. Automation of tedious and repetitive tasks and that supports and augments the human security team is essential to dealing with the volume of attacks, alerts, and cleanup activities that most organizations deal with every day.

On the issue of women in the cybersecurity workforce, this is a longer-term project as it requires engaging more women and girls in security and technology concepts, training them, recruiting them, and keeping them. This can feel like a catch-22, as women sometimes look for jobs and environments that already have a reasonable percentage of women. However, it is also important to look at the work environment around you and make the necessary changes to attract and retain women. Sometimes the behavior of a group unintentionally excludes others, whether it is due to common topics of conversation, team-building activities, or after-work gatherings.

Finally, and possibly most dangerous, is the issue of unconscious bias and innovation. Studies repeatedly show that diverse groups are a bit more challenging to work in, but come up with better and more innovative solutions. Attackers are continually benefiting from this diversity, sharing and trading tips and code across national boundaries, among criminals and nation-state actors and others that have an interest in the technology. For example, a recent report on cyberattacks targeting the healthcare industry includes examples of attackers looking for partners, helping each other through some technical difficulties, and offering congratulations and a bit of envy after the theft of some medical records.

Adversaries have found new and creative ways to attack over the past year, including significant innovation in ransomware and DDoS attacks built on thousands of compromised webcams. Does your organization assume it may not be affected because it is located in a different country from where its suppliers and customers operate? Have you considered the impact of new devices and apps that are popular with your employees or consumers but not used by everyone on the team? Do you discount comments from younger employees because they have less experience? Any one of these things is an example of an unconscious bias that can increase the risk to your organization.

Our predictions for 2017 highlight another active year for cybersecurity. Proactively addressing your biases can help you build a resilient and adaptable security foundation that can more effectively detect, protect, and correct threats that are known, as well as those that haven’t even been invented yet. 

Lynda Grindstaff creates the future for Intel Security as the Senior Director of the Innovation Pipeline. In this role, Lynda leads a global team that brings the future to life for Intel Security through innovative strategies and prototypes. Her tenure with Intel spans two ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft, Mastercard Aim to Change Identity Management
Kelly Sheridan, Staff Editor, Dark Reading,  12/3/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20000
PUBLISHED: 2018-12-10
Apereo Bedework bw-webdav before 4.0.3 allows XXE attacks, as demonstrated by an invite-reply document that reads a local file, related to webdav/servlet/common/MethodBase.java and webdav/servlet/common/PostRequestPars.java.
CVE-2018-20001
PUBLISHED: 2018-12-10
In Libav 12.3, there is a floating point exception in the range_decode_culshift function (called from range_decode_bits) in libavcodec/apedec.c that will lead to remote denial of service via crafted input.
CVE-2018-20002
PUBLISHED: 2018-12-10
The _bfd_generic_read_minisymbols function in syms.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, has a memory leak via a crafted ELF file, leading to a denial of service (memory consumption), as demonstrated by nm.
CVE-2018-19991
PUBLISHED: 2018-12-10
VeryNginx 0.3.3 allows remote attackers to bypass the Web Application Firewall feature because there is no error handler (for get_uri_args or get_post_args) to block the API misuse described in CVE-2018-9230.
CVE-2018-19653
PUBLISHED: 2018-12-09
HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the verify_outgoing setting is improperly documented. NOTE: the vendor has provided reconfiguration steps that do not require a software upgrade.