Cybersecurity and Culture
Changing Cultures
by Dr. Jane A. LeClair
Cybersecurity is a word that is getting a lot of attention these days. Hardly a week passes without the public being informed by the media of yet another major cyber breach. Major business organizations have been attacked, the digital systems of political parties breached, our critical infrastructure probed, even the White House has been attacked. Those systems were no doubt defended against intrusions with well configured firewalls, intrusion detection systems, monitoring, and continually updated anti‐ virus software....yet the breaches still occurred. Often the causes for the breaches were human errors. During my career in the nuclear industry we referred to them as 'human performance errors' and we worked hard to eliminate them from happening. We did so by creating a 'safety' culture in the industry that resulted in reduced errors and with all employees 'buying in' to the culture. This is exactly what is needed with regard to digital security ‐ create a cybersecurity culture. By some estimates human errors are involved in more than 90 percent of the security breaches to our digital systems. To reduce these we need to embrace a culture that is not only aware of security, but reinforces within itself the need and understanding to forestall cyber attacks. How do we create this culture and reduce these errors? Traditionally, we subject the new members in our organizations to a standard regimen of security training and usually that is supplemented by the entire staff undergoing a tiresome annual refresher training event. While this training has its purpose, it is greatly lacking in effectiveness because humans will still continue to make mistakes. To create this cybersecurity culture we must rely on a Triad defense system of Technology, Processes and People. Technology such as firewalls, IDS and anti‐virus software are an integral part of the triad but to be effective they must be utilized properly and updated as necessary. The members of an organization must be trained to properly handle this technology. The processes are the rules and guidelines that members must be aware of and strictly adhere to. The people are of course the most important part of the triad. All the members of an organization, from top to bottom must be trained, educated, involved and totally immersed in the culture. This is especially true for leaders who must set the example for others to follow. Ongoing awareness training geared to increase employee involvement and understanding of cybersecurity issues is a key factor that makes them aware of what is entailed in cyber security and their crucial part in it. We must also concentrate on social engineering, which plays a prominent role in cyber breaches. As we work towards establishing this culture of safety and security we need to be aware that it is a process that involves……EVERYONE. If the members of the organization don’t all work together….it will not be effective. Cybersecurity is an issue for everyone because it is a daily concern for everyone and by creating a cybersecurity culture, we can lessen our vulnerabilities and move towards being more productive. Dr. Jane LeClair, President Washington Center for Cybersecurity Research & Development
Comments