Alissa Johnson doesn’t hesitate when asked whether people or technology is the harder-to-crack cybersecurity management challenge. It’s people, the Xerox Corp. CISO told SearchCIO at Gartner Symposium/ITxpo in Orlando, Fla., earlier this month.
“You can tell technology exactly what you want it to do, and it’s going to stay right in that box and do it,” Johnson says in this video. People, though, have a trusting side that can compel them to “click on a spear-phishing email and get us all in trouble.”
Providing employees the right education will make cybersecurity management easier, Johnson explains, but so will buying and installing technology that’s easy for them to use. So vendors, take note — and keep it simple.
“Sometimes the technology is so complicated — it’s too complicated for the average user,” Johnson says.
What is more difficult in cybersecurity management: technology or people?
Alissa Johnson: This is a great, great, great question, and I love my people. But people are sometimes the hardest thing. You can teach technology — you can tell technology exactly what you want it to do, and it’s going to stay right in that box and do it. But people — you have the humanistic side, that side of us that automatically wants to trust, that side of us that automatically wants to believe that something is good, that will click on a spear-phishing email and get us all in trouble.
So I think the people part is the hardest part, but that’s the part that requires the most education. We have to make sure that our culture understands security to a certain extent. But from a vendor perspective as well, we have to make sure that security is not difficult. That’s the technology side. We are responsible for the technology. We can tell the technology what to do, but we have to make sure it’s done in a simple way so that the people don’t mess it up.
And that’s where we get in trouble with cybersecurity is that people side. Sometimes the technology is so complicated — it’s too complicated for the average user. We have to make sure we keep the average user in mind, and not the tech gurus, when we’re creating some of the software and the configuration changes and things like that.