We think the industry needs to do much, much more to address the human element of cybersecurity. This is the story of why we founded Nudge Security.
Today, we officially launched our company, Nudge Security. You can read about our seed funding announcement with Ballistic Ventures here.
In founding Nudge Security, we are taking on cybersecurity’s biggest challenge yet – people.
Don’t worry – we’re not working on another cybersecurity training or phishing simulation tool. Frankly, these types of “gotcha” exercises often do more harm than good. They can lead to security fatigue and an overall impression that cybersecurity in the workplace is a burden, dull and punitive. Click on a pretend malicious link? Do not pass go, do not collect $200, go straight to cybersecurity training. This creates extra work for employees, not to mention already-overtaxed cybersecurity and compliance teams to govern.
This approach also sets up a bad dynamic within the organization. “Don’t pay attention to those folks behind the curtain - they’re just monitoring your every move and will hunt you down if you ever break a security policy that’s buried in some handbook you received when you joined the company years ago.”
Excuse the hyperbole, but we think the industry needs to do much, much more to address the human element of cybersecurity. And here’s why. In modern organizations, cybersecurity is a battle over human behavior.
Ah, human behavior, that elusive piece of the cybersecurity triad of people, process, and technology. Be honest, does it give you a bit of heartburn just to think about it? If so, you’re not alone. The cybersecurity industry has largely devolved to the point of treating people (so affectionately dubbed “end users”) as a liability.
It feels we have taken the tenets of ‘zero trust’ and decided that we need to apply it even to our employees. As if somehow the same people we entrust to the future success of our organization could not possibly make rational, secure decisions. Instead those employees are treated as liabilities whose behaviors must be limited, monitored, and controlled.
How did we get here? While the industry has largely viewed human behavior as a problem to be controlled with technology, our adversaries have taken the opposite approach. In recent years, cybercriminals have become masterful in manipulating and exploiting human behavior in their attacks - making them more successful with less effort. They know how to prey on our motivations, fears, and curiosities to breach our defenses:
“Payroll.xls”
“Bonus Review - CONFIDENTIAL”
“Invite Only Club”
“I hate it when you ignore me”
(These are all examples from our own inboxes, by the way.)
It’s hardly a surprise that most data breaches today start with a social engineering attack. Why wait for a vulnerable server to be exposed when you can more easily convince Ron from IT to urgently reset some passwords for the “CFO?”
Cybercriminals are hijacking human behavior, turning our employees against us. We think it’s time for our industry to reclaim human behavior to our advantage, and that’s what we intend to do with Nudge Security.
Our mission is to secure modern organizations through the power of the modern workforce. We believe that people can and want to make secure choices at work, it’s just not always simple or straightforward. We are going to change that. We are going to help cybersecurity teams harness the immense potential for employees (re: good old human intelligence) to make secure choices that support and strengthen an organization’s cyber risk posture while making it effortless for all parties.
There’s never been a more crucial time to address this. That's because the way we work has shifted so dramatically in recent years, and it’s shattered our traditional cybersecurity models. Yet, cybersecurity has not kept pace with modern work.
Today, enterprises are more distributed and decentralized than ever (re: that cataclysmic collision of digital transformation and a global pandemic.) In today’s hybrid and remote environments, employees are working across too many locations and devices for cybersecurity teams to monitor. They connect, collaborate, and share information across cloud and SaaS applications. And because SaaS and cloud service models are designed to make it incredibly easy, fast, and often free to get started, individuals and teams are adopting new cloud apps at a clipping pace.
The reality is that today any employee can make an IT decision that impacts an organization’s cyber risk posture at any moment. These decisions are happening faster and increasingly outside the purview of IT and cybersecurity, making it more difficult than ever to answer the question, “where do all of my corporate assets currently reside and who can access them?” Cybersecurity teams are outnumbered and outpaced.
It’s no longer tenable to maintain the traditional cybersecurity model in which a small group of experts rely heavily on technology to block, limit, monitor, and control the behaviors of employees. We can sort-of make this model work if …
But, let's face it. These requirements no longer reflect the realities of how and where work happens today. The industry’s attempts to jury rig this outdated model for the modern cloud-first workforce has only led to complex and expensive network-based proxies and cloud brokers, an overload of disparate IAM policies, and rampant shadow IT.
Cybersecurity is falling further behind.
We need more cybersecurity experts, stat. Organizations have a wealth of cybersecurity expertise in their workforce, they just don’t have a way to tap into it. Organizations need a better way to engage their employees in making smart, secure decisions anywhere they work without disrupting their normal pace and flow of work.
They need cybersecurity built for people, not around people.
This is why we founded Nudge Security. We believe that by engaging employees with the right information at the right place and time, we can guide them – or nudge them – towards making more secure choices. In doing so, we can help cybersecurity teams to gain much-needed leverage in their hybrid and remote workforces while also better understanding their employees’ behaviors and motivations.
We didn’t exactly revolutionize the idea of a nudge. That claim belongs to behavioral economists Richard Thaler and Cass Sunstein, who popularized nudge theory in their 2008 book titled, “Nudge: Improving Decisions About Health, Wealth, and Happiness.” They describe a nudge as, “any aspect of the choice architecture that alters people’s behavior in a predictable way without forbidding any options or significantly changing their economic incentives.”
We are inspired by the many real-world applications of nudge theory that span multiple disciplines, including healthcare, public health, environmental sustainability, and beyond. We also realized that the application of nudge theory in the cybersecurity domain is still nascent and largely academic. (One well-known example of a security nudge is a password strength meter, which prompts users to create harder-to-crack passwords, often with a red-yellow-green indicator.)
We believe that the concept of nudging can have a seismic impact on modern cybersecurity and that this is an urgent imperative for the industry. And we are so excited to take it on.
While we aren’t publicly announcing exactly how we do this yet, we are ready and eager to invite cybersecurity, IT, compliance and engineering leaders to engage with us directly and get early access to our product as part of our "launch team."
We are also currently expanding our fully remote and asynchronous team. If this approach sounds interesting to you, and you want to join us in creating a new generation of human-centered cybersecurity solutions, we want to talk to you about career opportunities.
You can also join our mailing list to keep up with our latest news, product announcements, and period musings on this topic and others. If that’s still too much commitment for you, you can follow us on LinkedIn and Twitter.
Stay tuned, friends.