In March the White House and the CDC asked Americans to socially distance for 15 days to slow the spread of coronavirus. The guidelines from Coronavirus.gov read:
President Trump, Dr. Fauci, Governors of several states, and the CDC were training Americans on the importance of social distancing as the primary and most effective way to combat the spread of the coronavirus pandemic. They took to the airwaves, and media outlets nationwide repeated their message. And then they trusted Americans to do the right thing and socially distance themselves.
Lots of things have happened since - several states have taken steps to reopen businesses as part of the overall effort to give the economy a boost. But everyone across the board included in their message the need to continue social distancing and use of masks in crowded, public spaces.
So how did humans respond to these messages and "training"?
People gathered on beaches in Florida and California, crowds visited the cherry blossoms in Washington DC, people viewed an illegal car sideshow in Oakland, CA, and crowds gathered to watch the USS Comfort pull into NYC. The list goes on.
It’s not just everyday citizens. Even Senators were seen not appropriately social distancing or wearing masks in close quarters.
Old habits die hard. Even when administrations "train and trust" Americans to do the right thing. While many of us stayed at home and sheltered in place, some (if not many of us) had playdates, conducted birthday parties, visited a beach, or attended church, and didn’t appropriately social distance.
"Humans gonna human."
People are human. Training and trust will always have their limitations with human beings.
When it comes to internal use of sensitive data, most companies also employ the standard 1-2 punch of training and trust. And it is the right thing to do - these are employees you've vetted and selected based on some thorough checks. You have to be able to trust them to do what's right for the company.
You train these employees in security, privacy, and other data compliance best practices:
And then we trust our co-workers to:
In almost every scenario, employees are likely to do the right thing. The real challenge for security teams is to be able to detect and mitigate that one situation where an insider accidentally/ mistakenly/ maliciously does something harmful.
We have to assume the worst is always just waiting to happen and plan accordingly. There are three fundamental things that CISOs and security teams can do in this regard:
At Dasera, these are the principles we will closely align with as we build a robust security solution that protects data in use. We understand and accept the fallacies in humans and behaviors. What we have built and are building towards enables security teams to lead with trust and yet be ready for the inevitable risk situations.