When it comes to IT security, the people in the chairs are always the weakest link. Protocols have to be followed to keep things secure… but people often don’t follow the protocols. What if we designed security systems around the way that people behave instead?

We’ve done previous episodes on cybersecurity—including episodes on building a cybersecurity practice, fighting back against ransomware, and which kind of attacks are on the rise. But my guest today comes at the topic of security from what I feel is a very interesting perspective.

Frances Dewing, the co-founder and CEO of cybersecurity company Rubica, is here to talk about how the corporate cybersecurity solutions that are in place today aren’t built to be people-first—and how that is a big problem.

Listen here


Security for Humans: Interview With Frances Dewing

Frances Dewing, Rubica
Frances Dewing, Rubica

[02:22] Traditional corporate tools are designed to restrict and control the end user. We really need to build for the user first to help alleviate the friction between what IT wants (security) and what the user wants (privacy and convenience).

[04:08] People use their devices for both work and personal life. No one wants their company to monitor where they’re browsing during their personal time.

[05:10] Studies have shown that 85% of people access unauthorized content despite acceptable use policies. It’s a fallacy to think we can neatly segment work and personal device use.

[06:42] Corporate VPNs have been the default security action, especially during the COVID pandemic. But it assumes people will stay connected to the corporate VPN all day long. The reality is they don’t. Devices can be infected when disconnected from the VPN.

[08:14] Realizing this, cybercriminals have specifically been targeting remote workers and using the VPN as a tunnel back to the network.

[08:54] You need device-layer security to account for the fact that people won’t be connected to the VPN all the time.

[09:15] Companies need advanced threat protection, intrusion detection and prevention, and anomaly detection that follows the device.

[09:34] Oftentimes the only security on mobile phones is MDM. This doesn’t protect from malware, trojans, or data exfiltration and leakage.

[12:21] People need to be able to access cloud services anywhere and know that all of their devices and accounts are protected.

[12:50] The device layer, network layer, and account layer all need to be protected. We have great technology for the network layer and the account layer. Old outdated tools are often used on the device layer.

[14:15] Frances advocates for network-layer security on devices, deployed in a way that follows the device instead of being tied to a single network.

[14:53] Rubica protects the user’s anonymity. This is a key change, because privacy makes people more likely to allow the security onto their device.

[16:52] Cybersecurity teams need to move away from always trying to restrict the user and instead deploy tools that work for people, starting with privacy.

[17:54] Executives buy into this model because of the benefits. It’s the IT teams that take a little more convincing. Frances and her team position Rubica as an employee benefit.

[18:51] Rubica is an app you download onto your endpoint devices. It VPNs your device network data through its security stack. It has a host of different tools to allow secure connections to any network. It bi-directionally filters data and protects from 52 types of threats.

[20:59] It’s a mistake to think we can completely segment work and personal devices and access. We need to build security for people and the way they behave.

Listen here

Like what you hear? Listen and subscribe.