6
9/16/16, 1:06 PM Bridging the cybersecurity culture gap Page 1 of 6 http://fedscoop.com/bridging-the-cybersecurity-culture-gap September 16, 2016 Bridging the cybersecurity culture gap Commentary: Organizations should consider how the idea of workplace safety has evolved if they want strategies for baking cybersecurity into their culture. BIO By JR Reagan MARCH 25, 2016 3:00 PM "Safety First” signs seem almost cliché now — not so in the years prior to the Industrial Revolution. (iStockphoto) Everyone seems to be talking about “workplace culture” these days. GUEST COLUMNS Left wide open: Encryption and the public sector CYBERSECURITY Do we need a new language to describe cybersecurity? CYBERSECURITY Why you can’t decide (And what to do about it) GUEST COLUMNS The innovator’s mindset RELATED ARTICLES NEWS EVENTS TV RADIO PEOPLE SUBSCRIBE CHANGE SCOOP ! " SUBSCRIBE CONNECT WITH US

Bridging the cybersecurity culture gap

Embed Size (px)

Citation preview

Page 1: Bridging the cybersecurity culture gap

9/16/16, 1:06 PMBridging the cybersecurity culture gap

Page 1 of 6http://fedscoop.com/bridging-the-cybersecurity-culture-gap

September 16, 2016

Bridging the cybersecurityculture gapCommentary: Organizations should consider howthe idea of workplace safety has evolved if theywant strategies for baking cybersecurity into theirculture.

BIO

By JR ReaganMARCH 25, 2016 3:00 PM

"Safety First” signs seem almost cliché now — not so in the years prior to the IndustrialRevolution. (iStockphoto)

Everyone seems to be talking about “workplace culture” these days.

GUEST COLUMNS

Left wide open:Encryption and thepublic sector

CYBERSECURITY

Do we need a newlanguage todescribecybersecurity?

CYBERSECURITY

Why you can’tdecide (And whatto do about it)

GUEST COLUMNS

The innovator’smindset

RELATED ARTICLES

NEWS EVENTS TV RADIO PEOPLE SUBSCRIBE CHANGE SCOOP !"

SUBSCRIBE CONNECT WITH US

Page 2: Bridging the cybersecurity culture gap

9/16/16, 1:06 PMBridging the cybersecurity culture gap

Page 2 of 6http://fedscoop.com/bridging-the-cybersecurity-culture-gap

Although the concept has been around since the 1980s, businessesand government agencies are now realizing the importance of “theway we do things around here” to retaining valued employees andadding value to the enterprise, according to a Deloitte UniversityPress report.

Now, some want to apply the concept to cybersecurity. Instilling a“cybersecurity culture” could improve any organization’s ability tosafeguard its data, systems and networks, the theory goes. TheNational Cyber Security Alliance calls for a “culture of awareness”around cybersecurity in every workplace. But how do we make thishappen? How do we create a culture in our organizations in whichcybersecurity is a top priority at every level, from the boardroom tothe break room?

For clues, we might look to security’s cousin, safety.

Although preventing accidents at work is a given in most workplacestoday — so much so that “Safety First” signs seem almostcliché — safety hasn’t always been a priority. Since the IndustrialRevolution, workplace safety has undergone a number oftransformations, with many injuries, deaths, and lessons learnedalong the way. Accidents became the exception rather than the ruleonly in the last 50 years or so, since organizations began examiningattitudes and perceptions around safety throughout the workplace,and how they affect practices.

The Australian Radiation Protection and Nuclear SafetyAgency traces the evolution of safety in several stages, or “ages”:

The age of technology: Starting with the IndustrialRevolution some 250 years ago, machinery failures and flawsbore most of the blame for workplace accidents. Engineersstrove to improve worker and plant safety by designing safertechnology.

The age of the human: After major accidents such as theThree Mile Island nuclear meltdown in 1979 pointed tohuman as well as technical deficiencies, engineersbegan factoring the human into their designs, aimed atcorrecting, compensating for, and even anticipatingmistakes.

The age of the organization: Disasters including an airplane

Cybersecurity Insights &Perspectives

Invincea's AnupGhosh on usingmachine learningto improvecybersecuritydetectioncapabilities

Cybersecurity Insights &Perspectives

Veracode's ChrisWysopal talksabout the impactof '90s hackerthink tank

Content from Sponsors

DHS' VincentSritapan on federalIT modernization

September 20, 2016

Leveraging YourWorkforce in theNewCommunicationsEra

September 28, 2016

Privileged User &Insider ThreatFederal 2016Ponemon SurveyFindings

October 05, 2016

VIEW ALL

TV/RADIO

EVENTS

Page 3: Bridging the cybersecurity culture gap

9/16/16, 1:06 PMBridging the cybersecurity culture gap

Page 3 of 6http://fedscoop.com/bridging-the-cybersecurity-culture-gap

crash and an oil spill prompted a new look at assumptionsaround safety — with people asking not only how theseaccidents happened, but why. Human and even technicalfailures were seen as the tip of the iceberg, indicating a lack ofleadership at the highest levels, prompting a focus onimproving an organization’s “safety culture.”

Evolving out risk

Researcher Philip Sutton lists four shifts in emphasis characterizingthe evolution of workplace safety culture:

From employee responsibility to management responsibility.

From post-accident coping to prevention.

From non-systematic management to whole-systemmanagement.

From risk reduction to risk elimination.

When managers took up the safety mantle — establishing andenforcing protocols around safety, providing worker training, andencouraging supervisors and employees to report hazards— accidents and injuries declined sharply. Eventually, mostorganizations established strong workplace safety programs aimingnot just to minimize risk, but to eliminate it altogether, according toreport in the Huffington Post.

The impetus for these changes came from organized labor and laws,but they succeeded only where top-level executives encouraged andsupported them. Studies have shown a direct correlation betweenmanagement commitment and worker safety.

In other words, to instill a culture of safety in any workplace, theimpetus must come from the highest levels — and the message mustbe, “We are all in this together.” When every employee, from entry-level to executive, feels a vested interest in their own safety as well asthat of colleagues and even the organization itself, then the goal of“zero risk” may at last become attainable.

Could the same be true for cybersecurity?

The cybersecurity shift

October 05, 2016

What HackersReveal About ITVulnerabilities

VIEW ALL

Page 4: Bridging the cybersecurity culture gap

9/16/16, 1:06 PMBridging the cybersecurity culture gap

Page 4 of 6http://fedscoop.com/bridging-the-cybersecurity-culture-gap

JR Reagan writes regularly forFedScoop on technology, innovationand cybersecurity issues.

In the “Technological Revolution” oftoday, new technologies have exposedour workplaces and employees to newthreats —of identity theft; data theftand manipulation; compromises ofconfidential, even proprietaryinformation, and more.

Initially, organizations focused onimproving the technology withfirewalls, anti-virus software, malwarescanners and other “fixes.” Then,however, hackers began usingphishing and social-engineeringschemes to gain access to systems,

requiring a shift in focus to the humans using them.

As large-scale breaches continue, however, cybersecurity, too, mayneed a cultural shift — one that, like successful safety cultures, isdesigned around processes, not functions; is inclusive andcollaborative across all departments, offices, and levels; encouragesand incentivizes shared responsibility, and retains flexibility,allowing us to learn, change, and grow.

Changing a workplace’s culture can be daunting, especially acrossmultiple agencies or locations. But, as advances in workplace safetyshow, it’s doable with support from the top — and the “trickle-down”effect, resulting in buy-in at every level, may help us not only toreduce risk, but to eliminate it.

As we look toward the future — a continual mandate in thecybersecurity profession — we would do well to consider the lessonsof the past, and what has worked in other realms such asorganizational safety, and safety culture. How can we rally ourworkforces around cybersecurity in a way that goes to the very heartof our organizations — to the culture that defines us?

JR Reagan is the global chief information security officer of Deloitte. Healso serves as professional faculty at Johns Hopkins, Cornell and Columbiauniversities. Follow him @IdeaXplorer. Read more from JR Reagan.

Page 5: Bridging the cybersecurity culture gap

9/16/16, 1:06 PMBridging the cybersecurity culture gap

Page 5 of 6http://fedscoop.com/bridging-the-cybersecurity-culture-gap

-Explore Stories in Commentary-

NEWS > COMMENTARY

-In this Story-

Tech, Cybersecurity, Commentary, Guest Columns

Stay alert to all the latest government IT news.

SIGN UP TODAY

0 Comments FedScoop SherryJones!

Share⤤ Sort by Best

Start the discussion…

Be the first to comment.

Subscribe✉ Add Disqus to your site Add Disqus Addd Privacy%

Recommend ♥ 2

JOIN THE CONVERSATION

ABOUT / CONTACT LEADERSHIP TEAM EDITORIAL TEAM

CONTRIBUTE CAREERS

3 top changemanagementmissteps — andhow to avoid them

Left wide open:Encryption andthe public sector

The secret to astrong cyberdefense: Talkabout it

Page 6: Bridging the cybersecurity culture gap

9/16/16, 1:06 PMBridging the cybersecurity culture gap

Page 6 of 6http://fedscoop.com/bridging-the-cybersecurity-culture-gap

# $ % & ' + )

BACK TO TOP COPYRIGHT 2008-2016 FEDSCOOP. ALL RIGHTS RESERVED. ∠