As cybercriminals increasingly targeted specific people within organizations in hopes of breaking into networks, onboarding new information technology (IT) solutions to solve or mitigate cyber risks will not be enough to defend against sophisticated probing for weak links in the human capital chain.
But a people-focused approach would make a real difference in cybersecurity efforts, government and industry experts said during a MeriTalk webinar – People First: A New Approach to Government Cybersecurity – on Feb 2.
William Tinston, director of the Federal Electronic Health Record Modernization office, explained that increasingly – but mistakenly – Federal agencies think that the solution to cyber risk lies in IT. However, better tech is not always the solution.
“We make the mistake of assuming that everything has an IT solution, but many problems are not IT problems,” Tinston said.
He explained that cybersecurity must be about people, principally the workforce and the people behind the data. To realize security gains, organizations must have processes and oversight over those processes to mitigate increasing cyber risks, “such as double checking email inquiries before responding to an individual,” Tinston said.
“We still have the responsibility to protect the network, but we have to start with people first, and this begins with the processes in place to educate the workforce to protect people’s data, especially in the Federal healthcare sector,” he emphasized.
Ryan Witt, the industry practice leader for Healthcare at Proofpoint, agreed with Tinston and said that the people-first approach “is the ideal strategy in defending against this growing risk.”
The panelist explained that the “people-focused approach” must also be taken into account as Federal agencies begin to transition to a zero trust framework.
Tinston explained that zero trust takes a holistic view of who has access to what kind of information in an organization, and “a lot of this is understanding people’s roles and the risk created by their roles if they were unwittingly compromised. It goes back to the training, having measures in place to protect your people against these constant attacks,” Tinston said.
Tinston also explained that a people-first approach to cybersecurity allows for greater flexibility in protecting an organization because it does not solidify endpoints.
“Our endpoints shift as our people move around, especially when talking about the Department of Defense and our warfighters,” he said. “So beginning with the people and protecting the people does not confine us to solid endpoints. I believe this gives us more flexibility in our cybersecurity efforts.”
Witt warned that as Federal agencies shift to a zero trust framework, they must be wary of “purchasing” zero trust from “vendors who’ve latched on” to the recent zero trust buzz ” to make a profit.”
“Zero trust is a cultural paradigm shift. It’s an approach or mindset to cybersecurity, not a profitable cyber solution,” Witt said. “It’s about understanding your people’s role and who needs access to what and what risk is associated with allowing access.”
To hear the rest of the conversation, please register here.