Despite all the digitalization of tools and advancements in automation, humans are often described as the most important element in cybersecurity, and for good reason.
“Security is a people business,” Timothy Youngblood, SVP, CSO and product security officer at T-Mobile, said Friday at CES in Las Vegas.
“I call all of my partners in this my human firewalls because at the end of the day all it takes is one person to make the wrong decision,” he said.
Youngblood, who previously served as CISO at McDonald’s, Kimberly-Clark and Dell, is acutely aware of the risks confronting the world’s largest enterprises. He joined T-Mobile about four months before the mobile network operator suffered a massive data breach in August 2021, widely considered the largest carrier breach on record.
The cyberattack exposed personal data on at least 76.6 million people, and T-Mobile in July 2022 agreed to pay $500 million to settle a class-action lawsuit stemming from the incident.
Cybersecurity is a top three risk for most major companies, according to Youngblood.
Simulating a lure
To illustrate the unrelenting threat at a corporate level, T-Mobile put a honeypot on the internet to see how often adversaries come after the company’s assets. “What we discovered is that it was attacked 65 million times a day. It can’t get more real than that,” he said.
“I only know companies that have been breached and those that don’t know they’re breached yet,” he said.
Youngblood tries to limit the impact and frequency of those incidents at T-Mobile by bolstering the company’s security posture across multiple activities and individualized efforts.
Persona-based training tailored for specific employees, such as field technicians, executive assistants, retail staff and database administrators or architects, takes into account how those individuals work and the security impacts that could occur in their environment.
Real-time teachable moments like monthly phishing campaigns, which are constantly tested for efficacy, help T-Mobile’s workforce understand how to react to potential incidents, Youngblood said.
“We did 160,000 phishing campaigns last year, and we wanted to make sure that every person at T-Mobile got tested on whether they did the right thing or not,” he said.
T-Mobile’s cyber training regimen is based on a risk quantification process that accounts for current threats and incidents. The company tries to make it engaging and recognizes the most resilient employees with rewards.
“One of the biggest complaints — and anybody in the cyber world will tell you — [is] that people are just inundated with training. And so we try to get creative around that aspect,” Youngblood said.
For cybersecurity professionals, that’s complicated by the fact common culprits — weak passwords, compromised accounts, system hygiene and unpatched systems — are always causing issues.
“Let’s face it, this is a very high risk and intense job in cybersecurity. There’s a lot of pressure and I think it’s important to provide team members that are in this position to know that they’re not in it by themselves and that it’s OK to ask for help,” Youngblood said.
“We understand you’re not perfect, so don’t think that you have to be,” he said. “Make sure that you can ask for help. If you’re feeling burned out and you need time off, then let’s make sure we can give that to you.”