Industry Buzz

EXECUTIVE SUMMARY:

– Cybersecurity is a core business issue
– It takes more than technology
– Culture can be a force multiplier for cybersecurity
  • “Technology enables processes executed/ administered/ supervised by people; technology does not solve process gaps/ immaturities; technology does not inherently solve for people and skill gaps/ shortages.” 2022. Control System Cyber Security Annual Report. KPMG. https://assets.kpmg/content/dam/kpmg/sg/pdf/2022/07/control-systems-cyber-security-report-2022.pdf

  • “Every incident has unique facets and may not fit neatly in a given security policy. This is where unwritten company culture fills the gap. A company’s culture is one of the most predictive indicators of both incident frequency and severity…To put it simply, shame is a powerful emotion, and threat actors know how to use it to their advantage. If a company’s culture enables shame and deceit to drive security incident handling, then they should not be surprised when compounding effects of these incidents culminate into situations similar to Uber’s.” Coveware Q3 2022 Ransomware Report https://www.coveware.com/blog/2022/10/26/q3-2022-quarterly-report

  • “if we can continue being honest: a lot of us are using IT security discussions as procrastination methods to keep us planted in our comfort areas. So much of these new paradigms are built on stakeholder engagement, business process analysis, and good governance. There isn’t a registry key for that.” Discord thread /r/NIST Controls #cmmc June 7,2020

  • Managers are having a hard time. They are challenged to find ways to motivate employees to perform in ways that ensure company assets are secure, networks remain uncompromised, and staff are not fooled by phishing emails and fake websites. This means that a culture of cybersecurity must be created, and that does not happen easily. The Cybersecurity Culture of Verizon Media. 2021. https://cams.mit.edu/wp-content/uploads/Verizon-Media-CyberCulture-Paper.pdf

  • We would note that the large majority of things you need to do to be secure don’t happen in the security organization. The way institutions protect themselves is they use data more thoughtfully, their application developers create more secure applications, their procurement teams negotiate contracts which have intelligent terms and conditions that mandate vendors protect important corporate data, infrastrcture teams build secure technology environments. The security team can influence that but it can’t do it by themselves. It truly takes action across the entirety of the business.” McKinsey. 2015. Beyond Cybersecurity: Protecting your digital business.  http://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/protecting-against-cyberattackers

  • “As with every part of your business, culture is key. It provides the solid foundation of compliance, collaboration and communication required to ensure the resilience of your organization. You may invest millions of dollars in employee cybersecurity education, but for it to truly pay dividends… – it needs to be part of the organizational DNA. It’s getting every employee to recognize that cybersecurity is no longer just an IT problem. Everyone has a role to play.” Raytheon CEO on Creating a Cyber-Safe Workplace. An interview with Ratheon CEO Thomas Kennedy.  Chief Executive Magazine. March 19, 2019. https://chiefexecutive.net/raytheon-ceo-on-creating-a-cyber-safe-workplace/

  • “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” Bruce Schneier. Secrets and Lies. Wiley(2015)

  • “Everything is now a computer. This is not a phone, this is a computer that makes phone calls; or a refrigerator is a computer that keeps things cold; an ATM machine is a computer with money inside. Your car is not a mechanical device with computers, but a computer with four wheels and an engine, actually, a hundred computer distributed system with four wheels and an engine.” 2016. Bruce Schneier. Remarks to Congress. http://myprivacykit.com/wp-content/uploads/2017/03/Schneier-transcript-November-16-2016.pdf