When working with CEOs, I like to use a safety program within an organisation, running parallel with the cyber security program. In a number of industries, having a safety program is required but it's a good idea for all companies to have one.
A former colleague once managed such a program for a small trucking firm. The company had under-invested in prevention of accidents, training and awareness, and managing driver sleep time between shifts. The risk of under investment was raised repeatedly without appropriate action taken. An incident finally occurred involving a gas truck, an overpass and a Volvo heading home. The results were devastating.
A cyber incident can have truly kinetic results including loss of life, loss of customers, damaged reputation, stolen data, business uptime or a class action lawsuit. The threat of a cyber attack is real and potentially dangerous. Ensuring that employees are aware and understand their role in securing an organisation is an effective way to decrease the risk of incidents.
A safety program requires management and training, as it's an organisation-wide culture. Companies with a culture of safety make it visible throughout the entire organisation, but we don't often do the same with cyber security.
To create a culture of safety, time and resources must be spent on ensuring that people are properly equipped and trained in procedures and understand how to prevent incidents, as well as what to do in the event of an incident.
In the US Marine Corps, safety is drilled over and over but they also have videos and training. They show the accidents. They talk about what went right and what went wrong. Marines drill in the scenarios.
One thing sticks in my memory regarding safety planning when I was stationed on an aircraft carrier as a Marine. First we watched a video of the U.S.S. Forrestal blazing away as a jet-fuel fire began setting off live ammunition. That video led to endless fire fighting simulation drills. I threw on fire fighting gear and grabbed hoses.
So even the Marines had a job fire-fighting in the event of a fire. It was part of our culture on board and part of our daily lives. Incidentally, later we had two fires: an F-18 aircraft that caught the wrong wire, and an on-board fire. Neither resulted in anything more than a bit more training and no loss of life. Training and constant awareness works.
These are all qualities that a cyber security program should share. Just as safety is everyone's responsibility, so is cyber security. A CEO doesn't need to know all the ins and outs of a program, but knowing if everyone in the organisation has gone through it is a good start.
There should, however, be specific training for the CEO, the executive team and the board. They should go through the training and ask any questions that come up. The management team should be constantly educating the entire organisation to help ensure their Commander's Intent for cyber security is being carried out.
To create the culture in an organisation, a leader must find a way to communicate the importance of cyber security. Start by filming a video message and sharing it with employees.
People are the key to any successful organisation. They are also the key to a successful cyber security program. Ensuring they are aware and trained will keep a business out of the headlines and ahead of its competition.