In part 1 of our interview with Richard Bird, Client Director of Optiv, Inc. (which you can read here) we began our discussion on identity security and on Identiverse. Richard is an expert in risk management and insider threats, and he’s a former CISO and CIO. He’ll be speaking at Identiverse in Boston, MA June 24-27.
Here’s part 2 of our conversation, edited for readability and length:
Ben Canner: You think any of the keynote speakers at Identiverse will be covering the same topic?
Richard Bird: It’ll be interesting to see. I have a reputation for being a contrarian. That’s why I don’t work in corporate America anymore. I have the liberty to state the obvious.
What I like focusing on that is the notion that we’re outmanned, outgunned, outmaneuvered. What are we even doing to change that situation? We’re not being outspent by the bad guys.
I don’t know that any of the keynotes will be tackling the subject from that angle. But I do think that there will be a commonality in the themes: the identity marketplace is not being responsive to the need for accommodation, the realities of insider threats relative to the threat of employees acting day-to-day trying to do their jobs.
Ben Canner: Do you think that better educating employees on the day-to-day activities that put their companies at risk will be covered at Identiverse? Or is that an issue that is going to take much more time to really address? It is an issue that I’ve seen crop up again and again in my own research: that employees are the largest digital attack vector in any enterprise.
Richard Bird: Yep.
I’m sure there will be a lot of discussions and presentations on security training. Let me couch this by saying I’m a contrarian: I don’t put a lot of stock in the traditional talking points. Annual, semi-annual…I’ll even go weekly…security training is not going to move the needle.
We can’t figure out how to educate employees, who are often very security conscious on their personal media feeds, to be security-aware in the workplace. We’ve taken this simple situation and added layers upon layers of complication. We’ve never taken a step back and asked, “what can be done to bring solutions from the physical world that work into the digital?”
Visibility is at least part of the issue. Growing up I saw signs that said: “We’ve had this many days since our last accident. It was by the gate in or the time clock, clearly visible to everyone.
At an insurance company I worked at, I suggested creating a metric and putting on the employee login page so every time they logged-in they can see “It’s been this many days since someone has clicked a malware link.”
We actually built the metric. We had to put off our plans to implement it. It was coming up with “it has been 16 minutes since somebody at this company has clicked a bad click.”
It’s visibility that’s the problem. We do not put security at the top of mind of employees every day. Once again, in the physical world, we do it all the time. And we never go “no, it’s way too hard.”
I call baloney on this because we’re not addressing the simplest things. It’s not a solutions problem. It’s a people problem. If we’re not investing in a people solution, we’re not going to see much improvement.
Ben Canner: Is this a generational issue in some capacity? Are people who have spent more time on the internet more likely to be secure in their actions? Is there any demographic is more secure in their digital actions? And if so, what can we learn from that?
Richard Bird: There are interesting problems stemming from demographics. The digital pioneers, the Gen X and Gen Y generations, are very aware of security but we are also the most common violators of trying to get around it. The Baby Boomer generation sees a lot of challenges with security awareness just because of the nature of what’s changed. And perspectives don’t change as rapidly as technology. That’s oversimplifying quite a bit, but it’s a pattern.
We don’t see that with millennials, but we see another problem which is complicated for cybersecurity. Here are a group of people who represent the digital makers now, the new pioneers. They grew up on the internet, raised in the Zuckerberg era, where it was definitively stated that there is no more privacy. So this causes a tone deafness with the realities of cybersecurity where we see them saying “it doesn’t matter, there is no more privacy” while their employers and customers would beg to differ.
So we have a lot of different perspectives that cause negative outcomes caused by different generations. None of them have demonstrated cybersecurity awareness.
Ben Canner: You’re going to be at Identiverse as well. What are you most looking forward to seeing?
Richard Bird: There’s a lot! I talk about this conference all the time! Again being a healthy skeptic, I didn’t put a lot of stock in conferences. But I tell everyone I know about Identiverse.
In part, I like the energy around it. If we get buried in the day-to-day of identity security, we can get really defeated. I am excited to be in a place where people are enthusiastic and focused on identity-related issues
I know I’m going to walk out of Boston feeling just as excited about the year after as I feel about this year going in.
Ben Canner: I feel the same way. Thank you very much for taking the time to speak with us today Richard. I hope our readers can join us at Identiverse, which will take place in Boston MA from June 24 to June 27.
Thanks again to Richard Bird of Optiv, Inc. for his time and expertise! You can read part 1 of our conversation here.
You can use our promotional code REGISTERNOW18 when you register to save $250. Get ahead of the identity game! Make sure you register here today!
Latest posts by Ben Canner (see all)
- 4 Gartner Cool Vendors 2019: Identity and Access Management - May 20, 2019
- 6 Questions to Improve Your Identity Management Strategy - May 16, 2019
- The 10 Best Free and Open Source Identity Management Tools - May 15, 2019