The American View: Doctor (Advantageously) Strange
13 March 2019 |
Cybersecurity is largely a game of wits, imagination, and education; not exclusively an engineering problem. Business Reporter's resident U.S. 'blogger illustrates how American companies often undermine their cyber defences by overlooking their most interesting (and unconventional) applicants.
America’s contemporary corporate hiring process seems to be irredeemably broken. I’ve ranted about this at length starting back to my earliest columns for Business Technology.  Heck, my first book – Why Are You Here? – had an entire chapter devoted to why and how the best-qualified candidates for a position will usually never make it to an interview. This isn’t news. It is, however, a perpetually frustrating situation for all of us trying to find the talent that we need to achieve our business objectives.
My latest brush with this headache surfaced on Twitter in February when a fraud prevention expert I follow – Dr Martina Dove  – expressed her frustration over trying to explain to companies why her PhD and training as a psychologist made her a good fit for their organisation. That a company would reject her candidacy for being over-educated and exceptionally useful makes no rational sense.
Consider the threat that Dr Dove specializes in: fraud, deception, and misdirection are all crimes directed at people. If you own or run a business, you have people. Therefore, you’re vulnerable to (and will be incessantly targeted by) these sorts of attacks against your people. This is a fundamental challenge facing all organisations because … Wait. Hang on. Why am I preaching here? I invited the good doctor herself to explain it:
‘I think organisations don't get the importance of good fraud prevention measures in terms of human factors, such as advice for customers, users, individuals or even employees. When they have an employee breach … they probably put it down to that employee being unfit for the job. [The thing is] everyone, under the right circumstances, is vulnerable to manipulation. And scammers are very good at manipulating.’ 
A talented deceiver can make you so invested in their performance that you’ll rationalise away and any all evidence that might counter your beliefs.
I concur. So much so that a significant part of my Security Awareness writing involves inoculating users against the subtle charms of professional fraudsters. I’ve made it a point to integrate fraud detection concepts into every course that I’ve designed or taught at every organisation I’ve joined specifically because people are inherently vulnerable to charismatic deception. Why? because of humans’ inherent fatal flaw: good people naturally want to be helpful.
Consider: supervisors select job seekers specifically for their demonstrated positive attitude and customer service skills without realizing that those attributes that make a worker attractive to their company are the exact same attributes that make them attractive to a cybercriminal! An adversary leverages a good worker’s helpful attitude and essential decency through misdirection and manipulation to convert them into an unwitting accomplice. That’s literally how fraud works. The criminal tricks the victim into committing their crime for them (in whole or in part).
It should go without saying that a successful fraud defence programme requires the people running it to possess fraud defence expertise. The more, the better given the stakes involved. Organisations that wish to remain viable need boffins who can train their people, improve their processes, and design new defensive controls to minimize the quantity and severity of human compromise attacks. This is blatantly self-evident. To defend against the threat of fire, you deploy professional firefighters. Likewise, to defend against fraud, you deploy … say it with me … professional fraud-fighters.
And yet … not all organisations do this. If anything, most modern corporations seem to believe that fraud prevention is a topic limited to the retail sector when it’s actually a threat to every worker everywhere. To be absolutely clear, it’s not. Despite how obvious that seems, some organisations don’t seem to comprehend the fundamental nature of the threat from fraudsters:
‘I was recently told by a bank that rejected me that they have no need for me because their fraud prevention measures are about making the system secure. … if you are providing customer service in any shape or form and this is done by humans – your organisation needs to address human factors.’ 
While marketing departments like to brag ‘our people are our greatest resources’ it’s the security department’s responsibility to prevent those same people from simultaneously being a cybercriminal’s greatest resource as well.
She’s absolutely right. There’s never been an information system built that was ‘perfectly secure.’ Humans use systems; no matter how robust a system is constructed or configured; its human operators can always be suborned. A company that focuses its efforts on purely-technical controls at the expense of human controls is doomed. That’s what makes the cybersecurity profession so challenging: we have to convince leaders that every single person in the company can and will be targeted. This is typically a hard sell; it’s almost like old-school executives, business owners, and managing directors think cybersecurity is indistinguishable from sorcery – some ineffable arcane practice that’s performed exclusively in the Ethernet.
Cybersecurity – truly, just ‘Security’ – is about protecting organisations and people. A large percentage of our work consists of equipping, guiding, monitoring, and educating people. The least-invested activity there is ‘educating’ berceuse it’s the most difficult goal to pursue and it has the longest return-on-investment. That being said, it’s also crucial to long-term defence effectiveness. That’s why I argue that Dr Dove is living proof that effective fraud defence is a matter of applied education, not wands and incantations (or its modern incarnation of scripts and engineering).
I’ve published a stack of articles arguing that people with rare and unusual skills strengthen an organisation’s systemic defences; they don’t detract from them. As such, people with rare skills should – in an ideal world – be fought over, not ignored. If necessary, entirely new positions should be crafted on the spot to prevent the person from getting away (or, worse, getting disillusioned and defecting to the dark side).
I swear … I can’t understand why Dr Dove hasn’t been snatched up by a tech giant or a FORTUNE 500 company HQ in her area already. She lives in the Seattle, Washington area – surely Microsoft would have chased her down the moment that they realized that she was in their backyard … or Boeing … or Starbucks … or Nordstrom …or Weyerhaeuser. All of those organisations have people that need defending and money that criminals want.
Remember always; the strongest vault ever made is only as effective as the least-capable human who knows the passcode to open it.
Bear in mind, Dr Dove insisted throughout our discussion that she isn’t a ‘cybersecurity expert.’ I respectfully disagree. If – as I’ve been arguing for last eight paragraphs – you accept that cybersecurity is (in large part) a quest to protect people from themselves, then Dr Dove is absolutely one of us. Forget the nuances of the degree; she knows a ton about what we’re trying to do. As proof, I offer this: during our interview, I asked Dr Dove about the focus of her academic research. She explained:
‘My PhD was about identifying individual factors (e.g. personality traits, behaviours, circumstances) that make people vulnerable to fraud. In addition, I researched different techniques scammers employ in order to encourage compliance, such as known persuasion techniques frequently used, specific language that is used to semantically prime the victim and any other features of fraudulent correspondence, such as visual priming that often adds to credibility (e.g. copied logos). Then there are emotions and primal drives that fraudulent content may evoke, such as greed, fear, excitement. These emotions are short lasting but very powerful and compromise careful and rational thinking. All of these things can be used to manipulate scam situations and people need to be aware of that.’
Not a cybersecurity expert? Pshaw! The psychological principles that make phishing attacks effective are the best immunization technique for protecting oneself against them: by understanding how fraudsters manipulate a reader’s impressions, emotions, and decision-making processes, a user can learn to recognize and evade phishing attacks. It’s a far more effective tactic than trying to teach users how to parse e-mail headers or manually validate the authenticity of SSL certificates.
This is clearly a subject that Dr Dove knows quite a lot about. I’m arguing that she can leverage that knowledge to help protect her next employer and, personally, I think she’d make for an exceptional security professional if she agreed to join the team. Just because no traditional individual contributor security position outside of academia requires a PhD doesn’t mean that a PhD in a security-adjacent topic isn’t potentially useful. An organisation that’s genuinely interested in protecting its personnel ought to see that sort of dedicated focus and research as a potential strategic advantage.
Remember: security isn’t sorcery. There are no mystic portals or eldritch UNIX distros. Just tools, rules, processes, and people all focused on thwarting the opposition. Trust me … it’s not nearly as exhilarating as movies make it out to be.
Cards face up, I find it frustrating that I can’t personally do anything to help her other than to signal-boost her situation; my current team is fully-staffed. Even if it weren’t, my company doesn’t have an office in Seattle. I’m also miffed on principle that I can’t do for my own organisation the exact thing that I’ve been urging others to do for theirs in this column.
Then again, this isn’t just about her; this is a recurrent vexing problem affecting nearly everyone with extensive and exotic skills who are competing for work in US corporate space. Everyone who has watched their non-standard résumé bounce off of an AMS because the ‘expert system’ wasn’t smart enough to match concepts to an arbitrary list of keywords. Everyone who has spent an entire interview trying to explain their own job to the person screening applicants for it. Everyone whose application got unceremoniously bounced because their degree didn’t meet a posted position’s mandatory certification requirements (or vice versa). Everyone who has been forced to stand idle while a company that they applied to shows up on the evening news as the newest victim of an easily-preventable fraud technique. The people who see the hidden threats lurking just behind the everyday world’s veil of benign civility.
Our hiring system is broken. I understand how we got here … HR screeners want perfect matches for arbitrary keywords between PDs and CVs to ensure an audit-ready functional fit. Bean counters want to pay the minimum possible wage for the minimum required skill level to ensure a cost fit. Managers want a compatible personality that won’t intimidate or outshine the other established team members – or themselves! – for a social fit. This is all understandable behaviour. It’s also seriously counterproductive. The candidates with the unusual CVs and colourful academic interests may be the hardest to place on a vanilla org chart, but they’re often the most valuable resources on the roster when the phishers, fraudsters, and social engineers come-a-knocking.
We need to fix this. We all need to become more welcoming to the weird and wonderful people on the fringes of our career field. We need to spend less time ‘screening’ candidates and more time talking with them. We need to stop treating corporate hiring like it was military recruiting. We need to invest in people with potential.
Speaking of … OI! BOEING! MICROSOFT! AMAZON! … You’ve got an ace in your draw pile. Stop hyper-focusing on ‘AI’ solutions to address messy human problems. Give Dr Dove a ring before someone beats you to it ...
 Business Reporter’s previous IT-focused sub-brand.
 You can find her under her Twitter handle @CuriousShrink
 Emphasis added. This, and all subsequent quotes in this column came from my 27th February 2019 interview with the good doctor.
 Emphasis added.
Title Allusions: Scott Derrickson, Doctor Strange (2016 Film)
POC is Keil Hubert, firstname.lastname@example.org
Follow him on Twitter at @keilhubert.
Keil Hubert is the head of Security Training and Awareness for OCC, the world’s largest equity derivatives clearing organization, headquartered in Chicago, Illinois. Prior to joining OCC, Keil has been a U.S. Army medical IT officer, a U.S.A.F. Cyberspace Operations officer, a small businessman, an author, and several different variations of commercial sector IT consultant.
Keil deconstructed a cybersecurity breach in his presentation at TEISS 2014, and has served as Business Reporter’s resident U.S. ‘blogger since 2012. His books on applied leadership, business culture, and talent management are available on Amazon.com. Keil is based out of Dallas, Texas.