Over the past five years we have seen a fundamental shift in the cyber threat landscape. The news is filled with examples of how companies are having their data stolen or their systems disrupted. Over the coming years we will see the next evolution of cyber threats. The explosion of the Internet of Things, increased connectedness, business reliance on technology and data sprawl will create significant exposure for most industries.
Even with this increasing exposure, a breach or harm event does not have to be inevitable. There are ways to position your organization in preventing a major cyber breach or disruption of services.
An organizational culture that recognizes cybersecurity as a business imperative is a great way to improve security program performance. Moving toward a culture that is both strategically and operationally sensitive to cybersecurity needs is a significant change for any company. An organizational philosophy that is responsive to this culture and mindset change and has been effective within industries that deal with life safety is the “High Reliability Organization”.
High Reliability Organizational principles have the potential to create a culture of “Cybersecurity mindfulness”. If we applied these principles and mindfulness to a cybersecurity program it would have these characteristics.
• A preoccupation with the failure of Cybersecurity controls.
• Reluctance to simplify interpretations of risk exposure and threat data.
• Active observation, situational awareness and engagement of leaders and stakeholders within the Cybersecurity program.
• Recognizing that Cybersecurity is a business imperative and the need for the building of resiliency within the business to support that imperative.
• Listening to and involving subject matter experts from across the business.
• The creation of transparency, trust and accountability with a focus on continuous learning.
• The sharing of cybersecurity best practices and threat information with other businesses and industries.
Driving High reliability principles within the business and its cybersecurity program is no easy task. It is a cultural shift that can take years to take hold. There are some activities that I believe can make an immediate impact and have the potential for creating positive stakeholder engagement and the planting of seeds for a successful program.
Having a cyber risk management program that fully inventories risk and identifies the most significant cyber threats to the business can be extremely helpful. When addressing inventorying risk, it is best to start with an inventory of all your data and assets as well a security control framework. The National Institute of Standards Cybersecurity Framework is a great place to start. Evaluating your environment against these sets of controls can help you better understand your cyber weaknesses.
Cybersecurity controls do not mean much unless you understand the threats that are most relevant to your industry and business. Performing threat event and scenario walkthroughs and collaborations is an excellent approach to developing a common understanding of the most probable and harmful cybersecurity incidents. The output of this collaboration would be a scenario catalog that would be linked to both cybersecurity risk management and operational activities. This approach and the bridging of operations and risk management helps create a collective understanding across all stakeholder groups. By bridging operations and risk management, there is a direct signaling structure that allows leadership to set risk tolerance into operations and for operations to signal effectiveness back to leadership.
Building a plan that is prepared for today and the future can be a daunting task for any organization. As stated earlier, cyberattacks are going to become much more complex in the future. To be prepared, organizations will need to think differently. “Living with cyber risk” will become the norm. Traditional risk registers will need to transform into risk portfolios where good and bad risk can co-exist together for effective management of trade-off decisions. Cybersecurity programs will need to transform into high reliability programs that can adapt quickly to business changes and the evolving threat landscape. Cybersecurity will need to be fully integrated into the end-to-end service delivery and not viewed as an outlier process.
An organization’s plans will need to recognize that whether we are a local Fort Worth business or large global company, we all must coexist together on the Internet. We are interconnected and have the potential to impact each other. A great example is the recent Denial of Service attacks that impacted large portions of the Internet in October. This attack used malicious software that took control of “Internet of Things” such as DVRs and video cameras. These devices flooded the Internet service that allows our Internet browsers to find websites like cnn.com and twitter.com. Who would have thought that systems such as these could be used to perform cyber-attacks?
I believe that applying High Reliability Organizational principles and creating a culture of “Cybersecurity mindfulness” has the ability to reduce the probability of a business being a victim of a successful cyber-attack. At minimum, it has the potential to reduce the impact of a breach to customer’s data and improve Cybersecurity investment prioritization.
Ron Mehring is vice president of technology & security, Texas Health Resources