Cybersecurity and building a high-reliability organization: lessons from the US military for CEOs

Published: Tuesday, 01 September 2015 08:30

As organizations worldwide continue to fall victim to cyber-attacks made possible by the mistakes of their own network administrators and users, a new report shows how CEOs can take a cue from the US military and create high-reliability organizations (HROs) that consistently guard against cybercrime.

An article published in the Harvard Business Review, ‘Cybersecurity’s Human Factor: Lessons from the Pentagon’, by James A. Winnefeld Jr., Christopher Kirchhoff, and David Upton, identifies the six principles at the heart of the US military’s success in stopping attacks on its systems and quickly containing the few intrusions that occur. Crucially, the authors also indicate how the principles can be put into practice in other types of organizations.

“A recent survey by Oxford University and the UK’s Centre for the Protection of the National Infrastructure found that concern for cybersecurity was significantly lower among managers inside the C-suite than among managers outside it. Such short-sightedness at the top is a serious problem,” said David Upton, American Standard Companies Professor of Operations Management at Saïd Business School, University of Oxford.

“The reality is that if CEOs don’t take cybersecurity threats seriously, their organizations won’t either …  They must marshal their entire leadership team—technical and line management, and human resources—to make people, principles, and IT systems work together.”  

The core principles that have enabled the US military successfully to fend off more than 30 million known malicious attacks work together to create a culture that leads people, without exception, to eliminate ‘sins of commission’ (deliberate departures from protocol) and own up immediately to mistakes. They understand all aspects of the system, and know and follow all operational procedures to the letter, which means that they listen and respond to their own internal alarm bells, helping them to forestall potential problems. 

The authors acknowledge that inculcating these principles into an organization with a formal command structure such as the military may be easier than in a looser, more democratic organization. However, they have identified measures that leaders in any organization can take to embed these principles in employees’ everyday routines:

The Harvard Business Review article can be found here