By Jordan Rummel, Cyber Transformation, Booz Allen Hamilton &
Steve Hennessey, Cyber Transformation, Booz Allen Hamilton
Traditional cybersecurity models fail to directly address inherent human risk
Every day, CISOs are asked to combat an evolving array of risks that threaten the security of intimate organizational data. To complicate that task, the monster is usually located inside the house; according to Verizon’s 2022 Data Breach Investigations Report, 82% of breaches involved the human element. “Whether it is the use of stolen credentials, phishing, misuse or simply an error, people continue to play a very large role in incidents and breaches alike.”
The challenge: while the range and sophistication of bad actors continues to multiply seemingly beyond measure, security models struggle to keep pace; historically, enterprise safeguards have long-favored technical controls (“password123” just doesn’t cut it in 2022) rather than target cybersecurity’s true root cause of failure – people.
Zero Trust approaches its potential when fueled by human-centric security
Zero Trust is a vastly improved emergent framework that tackles the human-element in the form of access-dependent user- reauthentication; technologic controls leverage contextual user information to make access decisions that selectively adjust unique permissions and reduce risk. Zero Trust is intentionally prohibitive; digital gatekeeping assumes enterprise users carry risk and restricts access per technologic control.
Subsequently, Zero Trust is excellent at keeping organizations safe from both accidental and targeted cyber threats, albeit reactively. Complementing that approach with a human-centric mindset pivots the solution to a proactive and predictive posture. Additionally, those investments in human-centric approaches often have large incremental returns (often untapped) and can unlock returns from technical investments. CISOs then, in evaluating their security architecture and shifting threats, can harness human-centric models in tactical ways to evolve the Zero Trust model. Complemented by a human-centric approach, Zero Trust becomes an even stronger arrow for CISOs to proactively and predictively target the user-first challenges that dot today’s threat-rich landscape.
Dynamic Cyber Trust is the next step in the evolution
At Booz Allen Hamilton – a world-class technology and consulting firm – our Commercial team believes the future of security is the natural human-centric evolution of Zero Trust, a model we call Dynamic Cyber Trust (DCT). DCT injects human-risk into the Zero Trust mindset to create a predictive, continuous, holistic, and human-centric approach to security at the intersection of people, processes, and technology. Quantified Human Risk Assessments – distributed as scorecards – provide users a 360-degree risk score to identify strength areas and actions needing greater focus. Poor performers are coached up or out; inherent gamification spurs cross- organization competition. By proactively measuring user trust to prevent real-time incidents – and following-up with risky users to train and improve cyber behaviors – DCT helps realize the Zero Trust promise, via constant user self-reinforcement, to halt internal organizational risk in its tracks.
To accomplish Dynamic Cyber Trust, Booz Allen’s Commercial team leverages Elevate’s vast cyber risk intelligence capabilities to deliver rapid risk assessments and provide deep visibility to organization-wide internal cyber risk. Additionally, Elevate powers the Booz Allen Commercial team’s Dynamic Trust solutions that marry zero trust principles with individual risk scores, delivering cyber protection that minimizes insider risk while ensuring organizational productivity.
Said Andrew Turner, executive vice president, chief technology officer, and market strategy lead for Booz Allen’s global Commercial business:
“Our Dynamic Cyber Trust solution leverages the Elevate Security platform to create a uniquely scalable approach that holistically targets one of cybersecurity’s root causes of failure – people. Our solution builds on core concepts of the emergent cybersecurity framework, zero trust, adding human risk assessments and employee cyber behavior analysis. This strategic and predictive approach to organizational cybersecurity eliminates implicit trust, continuously validates every stage of digital interaction, and provides transparent and measurable human-centric feedback to reduce security gaps over time. Our world class consulting expertise powers a Dynamic Cyber Trust solution to drive continuously increased levels of security in the face of evolving threats.”
Final Thoughts
The evolving risk landscape demands security professionals constantly rethink and modernize their approach to safeguarding against cyber threats. Every day, bad actors take risks to gain unprecedented levels of unauthorized access. To combat these intrusions, organizations must be willing to push the security envelope and tackle root causes of risk head-on. If the data clearly shows that human error plays a pivotal role in enabling increased cyber risk, then the opposite must be true as well – an informed and educated staff is an organization’s top-line of defense against cyber threats.
“An ounce of prevention is worth a pound of cure.”
In some respects, the entire situation is akin to medicine. Zero Trust and curative medicine are reactive in nature and treat symptoms with technology. Alternately, human risk assessments and preventative medicine, focus on human behavior to proactively mitigate issues before they present. Dynamic Cyber Trust and holistic/integrative medicine embrace it all to address the range of human behaviors – and leverage the best of technology – to treat the entire person over a lifetime.
For more information about the Booz Allen Commercial team’s Dynamic Cyber Trust contact: Luke Simonetti (Simonetti_lucas@bah.com); Renee Rakowski (rakowski_renee@bah.com); Steve Hennessey (hennessey_stephen@bah.com); Jordan Rummel (rummel_jordan@bah.com).