Fixing the ImpossiBle
24/7 (202) 973-1300   

Changing the Culture of Cybersecurity

Within each individual lives one core principle: if we don’t like what is going on in our business, job, or life, we are the only one’s capable of changing it. No one else. It’s what’s inside of us and our desire to effect change that matters.

Apparently, others feel that way about cybersecurity. This week alone there were several articles exhorting that, “its time to change the culture of cybersecurity.” One article noted the retired Maj. Gen. Earl Matthews, now the vice president of enterprise security solutions with Hewlett Packard Enterprise’s U.S. public sector group, at a FireEye event, “It’s about culture.” Every organization has a different approach to cybersecurity, he said, and a cyber-savvy culture “starts with leadership and how that leadership is being used from the top down.”

You are not alone if you think cybersecurity is broken. You are not alone if you think something needs to change dramatically before we get overrun by today’s asymmetrical cyberwarfare trends. Many experts think the same way. Unfortunately, these same experts have scores of solutions about how to change things and multiple platforms to sell you to effectuate those changes. Most come without messaging or pre-packaging. 

Let us propose two mind-blowing solutions to today’s cybersecurity cultural dilemma. They are both shocking concepts or “next gen” as many cyber consultants say. Hold on to your seats:

  • Make cybersecurity a business priority: Good cybersecurity does not start from the top-down. Nor the bottom up. Its permeates every layer of company culture. It exudes from the company’s pores: “Nope, they are not going to get us today. Not on my watch.” It breeds confidence. It breeds competence. Executives need to take responsibility for cybersecurity and set the course. They need to regularly and proactively, in plain English, exchange security information, performance, and trends so that good business judgments can be made about how best to protect the company’s network. Cybersecurity is not just an IT problem. It’s everyone’s problem.

Employees need to live and breathe a culture of responsibility too. For example, not “clicking on the link” can save their company’s tons of grief. Authenticating wire and funds transfers based upon a single email can hopefully prevent sophisticated business email compromise scams. Employee managers and supervisors needs to sing from the same hymnal. Clicking on an unknown link or attachment is never good. Period. Little gains like we mention here can mean big overall gains down the road.

  • Protect the Most Which Matters the Most: A good friend, Kevin Mandia, taught me this little saying. It is however probably the most under-valued idea in cybersecurity. Once an organization has identified, categorized, and valued its digital assets, it needs to determine which of these assets are most valuable. Is it the plans to a new sports car, a new aircraft carrier, or a new fighter jet? Is it proprietary business or investment information? It really doesn’t matter what it is so long as the company “identifies” it as sacred. And then protects it like a mother tiger does her cub. Put most sensitive data in a private cloud. Encrypt the data while it’s there for good measure. Segment it from the rest of your network. Micro-virtualize a firewall around it so no bad ‘east-west traffic’ can attack it.

We can recommend many other steps to create an adaptive defense. But we won’t. You get the point. Protect your most valuable assets within an inch of your life. You won’t regret it.

In truth, these suggestions probably do not qualify as “next-gen.” But, in fact, maybe they do, or at the least, maybe these suggestions need to be re-examined today. Something is not right today with the culture of cybersecurity. It needs to change. Whether we want it to change or not, is entirely up to us.

More Posts