An article published in the Harvard Business Review, Cybersecurity’s Human Factor: Lessons from the Pentagon, by James A. Winnefeld Jr., Christopher Kirchhoff, and David Upton, identifies the six principles at the heart of the US military’s success in stopping attacks on its systems and quickly containing the few intrusions that occur. Crucially, the authors also indicate how the principles can be put into practice in other types of organisations.
‘A recent survey by Oxford University and the UK’s Centre for the Protection of the National Infrastructure found that concern for cybersecurity was significantly lower among managers inside the C-suite than among managers outside it. Such shortsightedness at the top is a serious problem,’ said David Upton, American Standard Companies Professor of Operations Management at Saïd Business School, University of Oxford. ‘The reality is that if CEOs don’t take cybersecurity threats seriously, their organisations won’t either … They must marshal their entire leadership team—technical and line management, and human resources—to make people, principles, and IT systems work together.’
The core principles that have enabled the US military successfully to fend off more than 30 million known malicious attacks work together to create a culture that leads people, without exception, to eliminate ‘sins of commission’ (deliberate departures from protocol) and own up immediately to mistakes. They understand all aspects of the system, and know and follow all operational procedures to the letter, which means that they listen and respond to their own internal alarm bells, helping them to forestall potential problems.
The authors acknowledge that inculcating these principles into an organisation with a formal command structure such as the military may be easier than in a looser, more democratic organisation. However, they have identified measures that leaders in any organisation can take to embed these principles in employees’ everyday routines.
1. Take charge. CEOs should ask themselves and their leadership teams tough questions about whether they’re doing everything possible to build and sustain an HRO culture. Meanwhile, boards of directors, in their oversight role, should ask whether management is adequately taking into account the human dimension of cyberdefense.
2. Make everyone accountable. All managers—from the CEO down—should be responsible for ensuring their reports follow cybersafety practices. Managers should understand that they, along with the employees in question, will be held accountable. All members of the organisation ought to recognise they are responsible for things they can control.
3. Institute uniform standards and centrally managed training and certification. Merely e-mailing employees about new risks is not enough. Nor is an annual course on digital policies, with a short quiz after each module. Cybersecurity training should be as robust as programmes to enforce ethics and safety practices, and companies should track attendance. After all, it takes only one untrained person to cause a breach.
4. Couple formality with forceful backup. Be clear about who is in charge of what, and what users are and are not allowed to do. Regularly reminding employees that their adherence to security rules is monitored will reinforce a culture of high reliability.
5. Check up on your defenses. CEOs should invest more in capabilities for testing operational IT practices and expand the role of the internal audit function to include cybersecurity technology, practices, and culture. Scheduled audits should be complemented by random spot-checks to counter the shortcuts and compromises that creep into the workplace.
6. Eliminate fear of honesty and increase the consequences of dishonesty. Leaders must treat unintentional, occasional errors as opportunities to correct the processes that allowed them to occur. However, they should give no second chances to people who intentionally violate standards and procedures.
The Harvard Business Review article can be found here: https://hbr.org/2015/09/cybersecuritys-human-factor-lessons-from-the-pentagon
David Upton is the American Standard Companies Professor of Operations Management. He holds an MA and MEng from Cambridge University (Engineering) and a PhD in Artificial Intelligence from Purdue University. He was a Professor on the faculty of the Harvard Business School from 1989-2009.
Source: Saïd Business School, University of Oxford