As I recently posted on Novarica’s blog site, “while emerging technology keeps CIOs busy during the day creating information, IT security and keeping that information protected keeps them up at night”. With last year’s Target hack and this year’s Office of Personnel Management data breach among others, CIOs and CISOs at insurance carriers are rethinking their approach to security. While in the past, the main focus has been on applying security technology to protect the data perimeter, recent attacks have highlighted the fact that the biggest vulnerabilities may be the carbon-based life forms we call employees, contractors and consultants.
A recent Harvard Business Review article highlights the recent breach of an unclassified e-mail system at the Pentagon, and discusses the U.S. Military’s emphasis on human factors to minimize cybersecurity risk. If any organization has a complex task with securing its data and communications, it’s the Department of Defense, from well-funded and persistent attackers to extremely sensitive information that must be shared in a timely manner with staff from the top to the bottom of the organization.
The article summarizes methods that the U.S. Navy propulsion program uses through their training, reporting and inspection programs, with a six-area approach that any organization can use to build a better cybersecurity culture, leading to improved security that supports the technology measure in place. For each of the six areas mentioned in the article, I’ve added a question for you to consider for your organization.
1.Integrity – The military units in the DoD have a strong sense of their mission and clearly know their role in maintaining cybersecurity. One element is expecting that all have integrity to follow security protocols and procedures, and to quickly let others know when they have made a security mistake. What is your organization more likely to do: punish someone who violates a security rule, or praise that person if they quickly come forward so that the issue can be resolved immediately?
2. Depth of Understanding – The military stresses “thorough understanding of all aspects of a system” so that those maintaining and using systems can better recognize issues when they arise and can then address them effectively. Are you ensuring that IT staff and contractors have a full knowledge of all systems and interfaces, and making sure any changes are reviewed for potential security issues?
3. Procedural compliance – The culture in military units is to know proper procedure and follow it completely, without exception. My former boss, who had previously been a captain on a nuclear attack sub as well as commander of the US Pacific fleet, told me that every sailor on the vessel followed orders immediately without question because if they didn’t someone could lose their life. Is your staff committed to following the operating procedures and keeping documentation for procedures up to date?
4. Forceful backup – This concept means that for any high risk task that at least two people, not just a single staff member, are required to complete it. Also, anyone in the unit from the most junior sailor to the commanding officer can stop the process if they see a security issue. Does your organization have the same level of attention to high risk security activities?
5. A questioning attitude – All personnel are trained to listen to their “internal alarm bells” and to act – the “if you see something, say something” culture that we hear public security officials stressing. Do you welcome questioning of your security measures by staff or are you allowing blind spots?
6. Formality in communication – Finally, the military almost has its own language around communicating orders and instructions. When orders are given, the response is to repeat the order exactly as it was given before proceeding, to ensure it was heard and understood. This formal approach minimizes miscommunication and leaves little room for making errors such as misinterpreting or changing the order. Do you have a formal approach to implementation of security, especially in areas of access to systems and working with third parties on data interfaces?
Insurance CIOs and CISOs can learn from the military’s approach to developing a strong cybersecurity culture in their organizations. A disciplined, documented and determined cybersecurity environment that backs up appropriate levels of technology can minimize risk and ensure fast and effective response when security issues arise.
Novarica is not an IT security consulting firm and does not provide specific advice on IT security matters. CIOs and other IT executives should consult one or more of the many consulting firms that provide specialized expertise in IT security issues when developing and implementing their IT security plans. Please see my report “CIO Checklist: IT Security Planning”, or contact me if you’d like to discuss strategy for implementing IT security.