The human firewall cannot be fixed, says McAfee CTO

A five-question interview on current topics in cybersecurity. One question may even surprise you.

The human firewall cannot be fixed, says McAfee CTO
raj samani foto

Raj Samani is an active member of the information security industry, through involvement with numerous initiatives to improve the awareness and application of security in business and society. He is currently working as the vice president, chief technical officer for McAfee EMEA, having previously worked as the Chief Information Security Officer for a large public sector organization in the UK and inducted into the Infosecurity Europe Hall of Fame (2012).

He has previously worked across numerous public sector organizations, in many cyber security and research orientated working groups in Europe. He is also the Syngress books ‘Applied Cyber Security and the Smart Grid’, “CSA Guide to Cloud Computing”, and technical editor “Industrial Network Security (vol2)” and “Cyber Security for decision makers”. In addition, Raj is currently the Cloud Security Alliance’s Chief Innovation Officer and Special Adviser for the European CyberCrime Centre. 

We recently sat down for a quick chat on the state of cybersecurity.

What does the average week look like for you?

The only thing consistent about my week is the lack of consistency! Although in general the intent is to dedicate some time toward proactive measures. I am sure I can speak for everyone reading this, but we can spend all week simply responding to emails, so I do try to put some time aside for things outside of email response!

Name the top three cybersecurity risks that keep you awake at night?

Do you remember the film adaptation of H.G. Wells’ book War of Worlds? The precursor to the invasion were blackouts across the Ukraine. Well not wishing to tempt fate, but…

In all seriousness though, we do have to tread cautiously with regards to drawing conclusions however the one thing that is very apparent is that we are witnessing greater connectivity than ever before. Furthermore, disruption of these systems can and do have a dramatic impact on society. I have said this many times before but the future cloud will be keeping our water clean, and lights on.

Ensuring that we are as an industry focused and engaged with protecting these systems is our single biggest challenge. I don’t feel that we can stay in a self-serving industry looking to score points of one another.

This is imperative, because in a few years we will be hurtling down the highway in self-driving cars, and the risk of not being engaged with the broader business does not bear thinking about.

How do you measure success and failure in an information security management program?

Ironically, a true measure of success is more work! This happened to me once before. We were looking to drive awareness when I was a CISO. The net result was more people were reporting security incidents because they knew what to look for and where to go.

More broadly, I feel that success from a subjective perspective is greater engagement with the business. We all are fully aware that security is something that the entire business assumes responsibility for (or at least should). Working in tandem with information asset owners to me is the measure of success.

How would you fix the human firewall?

Well you cannot. We each have subconscious levers that can be used to influence. These are what criminals use within modern spear phishing emails, and is intended to tap into our subconscious to influence our behaviors. What I find remarkable is that these tricks are being used within emails bombarding our inboxes; in fact it’s not just email, they are coming in via multiple channels.

I wrote a paper about this called hacking the human OS, but it was intended to get us to move away from simply blaming users for clicking onto links, and ask the questions about making a change away from using solely awareness as the default answer.   There are multiple answers to this, and they involve using technology (e.g. voice stress analyzers), Process (communicating to the employees where to report suspicious requests for data) to people (tiger testing for example).

We will never fix the issue, but the risk can certainly be reduced.

A question you yourself would like to be asked…

What fills you with hope about the future of technology? We have pockets of collaboration. Whether that is law enforcement/private industry or indeed exchanges of data between private sector. It’s a little later than the criminals have done, but in the past two years more progress has been made than ever before.

Our biggest challenge however is before us. Getting the basic foundation of security and privacy integrated into the new wave of devices we will all use.

Copyright © 2016 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022