Читать книгу 8 Steps to Better Security - Kim Crawley - Страница 6

People generally assume that cybersecurity is a technological area of study and take it for granted that cyber threat actors, called hackers by laypeople, must be computer geniuses. They have to have some mastery of computer programming code and an advanced understanding of how computer networks work. And if you take the Hollywood stereotype really seriously, then you probably believe that the most notorious cyberattackers work from an elaborate computer lab in their mom's basement, wearing a hoodie and typing at 400 words per minute. I imagine something like the movie War Games, but with a more 21^st century–style presentation.

So, surely, if you're learning about cybersecurity, it's all about computer science stuff, right? You likely bought this book because you're a businessperson who wants to improve the security posture of your company. So, maybe you expect this book is about hiring the right supernerds for your IT department, and then you just let them do their technical wizardry. Why do you need eight steps for that? Step 1: hire computer experts. Step 2: don't think about cybersecurity ever again.

Actually, it's not that simple. Understanding computer technology is definitely a big part of understanding cybersecurity. But cybersecurity also overlaps with the arts and humanities. To understand cybersecurity properly, you must learn about the psychology of the interactions of people with computers. Then you must also learn the sociology of the interactions of groups of people with computers and how people within those groups influence each other's behavior. Cybersecurity is as much of a human area of study as it is a technological area of study.

The first step to improving your company's security posture is to foster a strong security culture. Culture doesn't manifest in the firmware code on your PC's motherboard. Culture is about the ideas, attitudes, and styles people create and maintain in their interactions with each other. Your company could have the best security policies and the most expensive network security devices. But if the people in your company don't behave in a secure way, improving your security posture will be an uphill battle.

From the balcony of my skyscraper condominium, I can see mighty maple trees thriving near Toronto's lakeshore. Those maple trees evolved over thousands of years to survive harsh Canadian winters. Their genes make them hardy, and they produce a resilient life-form. But if it weren't for the deep nutritious soil and sufficient annual precipitation in their environment, those maple trees wouldn't be able to grow and survive for hundreds of years. That's why you don't see maple trees growing in the desert.

Your company's security culture needs to be the nutritious soil and sufficient precipitation for the seeds and saplings of your computer hardware, software, networking, security policies, and security staff to thrive to become the hardy maple trees of a resilient business with a strong security posture. Even though I don't intend for this to be a cheesy self-help book, I'm not going to stop with the flowery analogies. So, just hang on for the ride!

Before I get further into explaining how to foster a strong security culture, I really need you to understand how important psychology and sociology are to cybersecurity. So, I will start with a really abridged version of the story of Kevin Mitnick, the man who may still be the world's most infamous cyberattacker.