There’s a lot of industry activity around emerging security approaches like passwordless authentication. For many years, security professionals’ common mantra has been anchored around longer, more complex passwords. Before that, we emphasized password rotation. Multi-factor authentication often ran alongside these passwords or passphrases. On the surface, terms like passwordless authentication contrasted starkly with the way things have been done.
However, most people can typically agree that doing things in technology the way they’ve always been done is not a good strategy, even in environments that are large, slow-moving, or more traditional in nature. Rethinking concepts that are more primitive in nature (and helping others do the same) is important to collectively move the needle within our industry.
Start the Mindset Shift
To get started with the mindset shift, it’s useful to list out the more primitive needs or elements, versus debating a particular approach.
For example, passwords, complex or otherwise, are a means of authenticating things. Passwords have become almost synonymous with authentication in the same way “Google it” has become a verb around using a search engine to find something.
The more fundamental need beyond passwords is authenticating to something. Authentication can happen through some combination of:
- Something you know, like a password
- Something you are, like a biometric reading
- Something you have, like a token or mobile device
- Somewhere you are, your geographic location at the time of authentication
The first three are typically accepted as the right way to go about authentication. When you shift the debate from whether you need passwords to what combination of these factors would be secure and resilient to the kinds of attacks that are troubling to an organization (e.g., phishing, credential stuffing, password sharing, and so forth), you can make progress in mindset change.
Building Confidence
Another important approach in shifting a mindset lies in the way you build confidence in something new or different. Working in security, there are numerous opportunities to do this:
- Exploratory work, pilots, and controlled tests. These are all good approaches to quickly test out ideas to determine their viability within a given environment. Start small and build over time. These approaches also align with the ambidextrous organization model of managing innovation.
- Red team and security testing. Setting something new up and testing it against existing approaches can be a useful way to build confidence in change. Gaining high-quality, adversarial insights into how resilient something is can help move people towards embracing the new and doing away with the old.
- Collecting user feedback. This is a powerful way to see how things actually work from those it most directly impacts. When we talk about authentication, this is really important because people might be going through it multiple times a day, every day, depending on the organization and its policies.
Broadly gained confidence within an organization makes it more likely that change will last beyond a given leader’s tenure. The confidence gained can also positively influence the culture surrounding cybersecurity.
The Compliance Angle
Modernization efforts to roll out emerging trends like passwordless technology cannot neglect the importance of compliance. Whether we like it or not, compliance drives a large amount of the decisions that happen in this industry. It fuels funding and anchors third-party risk management programs. Plus, this list wouldn’t be complete without a reference to awareness training. Moving the collective mindset, I believe, can happen through compliance, so often the black sheep of the industry.
Looking through standards like the Cloud Security Alliance Cloud Controls Matrix (CCM), NIST 800-53, and others, there are plenty of references to passwords. I believe we need to push for these things to change and evolve at this level. If we can’t do that or until we do that, as a professional changing the mindset within an organization, we need to have answers as to how we satisfy “compliance” through modernized approaches to age-old problems.
Concluding Thoughts
Other emerging trends, such as Zero Trust, will inevitably help the matters described in this article. Traditional means of authenticating are not phishing resistant. Countless data breaches have proven that this approach is not adequate, yet we can’t move the needle through FUD (fear, uncertainty, and doubt). Approaching workforce development and mindset change from an iterative and explorative cycle of confidence building will go a long way to seeing lasting change.
Want more cybersecurity insights? Visit the Cybersecurity channel:
