As organizations worldwide continue to fall victim to cyber-attacks made possible by the mistakes of their own network administrators and users, a new report shows how CEOs can take a cue from the US military and create high-reliability organizations (HROs) that consistently guard against cybercrime.
An article published in the Harvard Business Review, ‘Cybersecurity’s Human Factor: Lessons from the Pentagon’, by James A. Winnefeld Jr., Christopher Kirchhoff, and David Upton, identifies the six principles at the heart of the US military’s success in stopping attacks on its systems and quickly containing the few intrusions that occur. Crucially, the authors also indicate how the principles can be put into practice in other types of organizations.
“A recent survey by Oxford University and the UK’s Centre for the Protection of the National Infrastructure found that concern for cybersecurity was significantly lower among managers inside the C-suite than among managers outside it. Such short-sightedness at the top is a serious problem,” said David Upton, American Standard Companies Professor of Operations Management at Saïd Business School, University of Oxford.
“The reality is that if CEOs don’t take cybersecurity threats seriously, their organizations won’t either … They must marshal their entire leadership team—technical and line management, and human resources—to make people, principles, and IT systems work together.”
The core principles that have enabled the US military successfully to fend off more than 30 million known malicious attacks work together to create a culture that leads people, without exception, to eliminate ‘sins of commission’ (deliberate departures from protocol) and own up immediately to mistakes. They understand all aspects of the system, and know and follow all operational procedures to the letter, which means that they listen and respond to their own internal alarm bells, helping them to forestall potential problems.
The authors acknowledge that inculcating these principles into an organization with a formal command structure such as the military may be easier than in a looser, more democratic organization. However, they have identified measures that leaders in any organization can take to embed these principles in employees’ everyday routines:
- Take charge. CEOs should ask themselves and their leadership teams tough questions about whether they’re doing everything possible to build and sustain an HRO culture. Meanwhile, boards of directors, in their oversight role, should ask whether management is adequately taking into account the human dimension of cyber defense / defence.
- Make everyone accountable. All managers - from the CEO down -should be responsible for ensuring their reports follow cyber safety practices. Managers should understand that they, along with the employees in question, will be held accountable. All members of the organization ought to recognise they are responsible for things they can control.
- Institute uniform standards and centrally managed training and certification. Merely e-mailing employees about new risks is not enough. Nor is an annual course on digital policies, with a short quiz after each module. Cyber security training should be as robust as programmes to enforce ethics and safety practices, and companies should track attendance. After all, it takes only one untrained person to cause a breach.
- Couple formality with forceful backup. Be clear about who is in charge of what, and what users are and are not allowed to do. Regularly reminding employees that their adherence to security rules is monitored will reinforce a culture of high reliability.
- Check up on your defenses. CEOs should invest more in capabilities for testing operational IT practices and expand the role of the internal audit function to include cybersecurity technology, practices, and culture. Scheduled audits should be complemented by random spot-checks to counter the shortcuts and compromises that creep into the workplace.
- Eliminate fear of honesty and increase the consequences of dishonesty. Leaders must treat unintentional, occasional errors as opportunities to correct the processes that allowed them to occur. However, they should give no second chances to people who intentionally violate standards and procedures.
The Harvard Business Review article can be found here.