In the cybersecurity industry, you are only ever as strong as your weakest link. The human element is often seen as the key vulnerability, but one security firm is redefining people as a strength rather than a liability.
The cybersecurity field is growing at an incredible rate, but it remains quite young as an industry and science. As the cybersecurity industry exits its adolescence and matures into the robust and comprehensive discipline we need it to be, it must grapple with fundamental questions about what security even means in today’s digital world.
Redefining cybersecurity with David Shipley
There are a lot of voices clamouring to be heard in the dialogue that’s shaping the future of cybersecurity. But in such a rapidly-moving field with such high stakes, the most effective ideas quickly rise to the top, even if they’re unorthodox or of unexpected origin. New Brunswick’s Beauceron Security has secured a well-deserved seat at the forefront of this discussion, and CEO David Shipley is championing a decidedly human approach to digital security.
“I’m an accidental cybersecurity professional,” says Shipley. “This was not my plan. I’ve been a soldier, a newspaper reporter, and a marketer for the University of New Brunswick. When the university was attacked by a hacktivist group, I was the one who realized it, and I used my skills to help with the incident response. As a result of that, the CIO asked me to help lead the university’s cybersecurity defence. What I found there, dealing with hundreds of different incidents every year, was that the root vulnerability behind cyberattacks was rarely, if ever, technology. It was always traced back to people, process, and culture. So, I began thinking about the human side of cyber.”
And so Beauceron Security was born, with a mandate to take this idea of people and culture as the foundation of cybersecurity and turn it into something practical, applicable, and measurable.
Empowered people are secure people, a conversation with Ian MacMillan
“I had experience working at IBM on their flagship enterprise security software, and it was exciting to have the opportunity to build something like that from the ground up with a new human-focused strategy,” says Beauceron Co-Founder and Chief Evangelist Ian MacMillan. “We saw an opportunity to empower individuals, not as a liability that you have to protect, but as an asset to protect organizations. By encouraging people to do their part, we actually see a shift where employees don’t just assume that it’s someone else’s problem, and they now have the tools to act when they find a security concern. The byproduct is that the organization is more secure.”
In short, the Beauceron philosophy represents a seismic shift in how to approach the long-recognized human factor in security. If human behaviour is the most significant vulnerability, you can work to lock that down, and remove it from the equation, but that has never worked. What if, instead, you work on turning the same qualities that make people vulnerable into a key component of security resilience?
Putting bold ideas to the test: Measurable results in the security marketplace
In a recent white paper, Beauceron Security emphasized the quantitative successes they’ve seen relative to its competitors in the field of anti-phishing security. At the heart of the initiative is the Beauceron Platform, which actively motivates employees to engage with security and rewards them for doing so through positive feedback and gamification focused on critical behaviour metrics too often overlooked.
“We know that anti-phishing programs are effective and that we can use them to decrease click rates,” explains Beauceron Data Scientist Nicole Bendrich. “But it’s also important to recognize that click rates aren’t the only metric we should be measuring. It’s very easy to get a false sense of security from a low click rate. That’s why we also include metrics like the ignore rate, which the report rate that aren’t necessarily discussed as often but that are really important because they actually show behaviour.”
With phishing attacks, as with all types of cyberattacks, technology can go a long way to securing the defences. But, with an ever-growing volume of attacks, some percentage will always get through. And it’s exactly the ones that get past the AI that a well-trained and engaged human is best-equipped to recognize and address — If they’re not too scared to do so. “Our goal is to put people in control of technology, empower them to be in control of technology,” says Bendrich. “Sometimes users are just not willing to interact with anything at all because they’re afraid of making a mistake. Rather than not engaging at all, we want them to be able to identify if something is a phishing attack, or if it’s spam, or if it’s an email. Then they can move through the world a little bit less scared and more in control.”
When users are well-trained and steeped in a cybersecurity culture that values engagement and active reporting of attacks, they become less timid, and more vigilant, and they take pride in their own contribution to security. The psychological and emotional character of security is transformed from a weakness into a strength.
“There’s a reason why we chose to name our company and our technology after a sheepdog,” says Shipley. “The idea is to turn people from the passive victims of cybercrime, the sheep, into the active defenders, the sheepdogs. It’s not humans as the last line of defence after technology has failed, but as the first and best, with technology playing a supporting role.”