Cyber-Culture: An Organization Imperative

Posted on: April 7th, 2020

This Guest Blogger edition of the News & Tips to Combat Workplace Violence featuring Dr. Ken Ferguson will focus on the Cyber Security Threat from a Cyber Intrusion Management perspective. The purpose of my Blogs is to introduce correlations between gaps and vulnerabilities in workplace security and the potential threats posed by the disgruntled current worker or former worker whose intent is to get revenge without crossing the line of physical violence. Usually, workplace culture has some role in creating the vulnerability or gap that permits the disgruntled current or former employee and criminal intruder access to sensitive information and systems. While Ken’s initiative is aimed at more than malicious intent, he is certainly concerned with a conversion of the workforce from an intrusion threat to an effective barrier for successful intrusion.

Ken Ferguson and I will agree that no amount of technology, policies or procedures can prevent the malicious intruders from gaining access to sensitive systems and information. A process is mandatory. So, while technology is an important part of information and data protection, “Over-reliance on security technology can actually put an organization at risk because a large percentage of information security breaches are actually the result of faulty human behaviors, rather than hardware or software vulnerabilities” Robert Guba, (Engineering human security), 2008.

So what can organizations do to minimize the Cyber Security threat? Ken Ferguson is going to layout a perspective focused on culture and the human factor in aggressively protecting data and information from unwitting compromise by human errors of omission in creating a process that minimize gaps and reduce vulnerabilities and/or compromises. Sometimes the organization by its very desire to protect sensitive information and systems create voluminous procedures employees do not read and/or are not properly trained. The assumption is that the policy and the procedures are the solution.

In the following overview Ken Ferguson will share his experiences and expertise in articulating how an improved attention to a structured attention and management of cyber intrusion is the next major step in protecting organizations from the intentional threat and the unwitting human error.

“Currently, “people” can be characterized as a potential source of intrusion problem rather than a successful defense element. Successful phishing by hackers for example is one of the more common success channels for cyber intrusion.”

Improved cyber security is the next organization wide advancement needed by many business sectors of society as well as public sector agencies. This attention is comparable to other defining compelling attributes such as safety, reliability, quality, economics, and environmental management. As we know, Cyber-attacks are malicious threats by highly motivated individuals or organizations intent on disruption or criminal actions. The attack mode can be commonplace or extremely sophisticated.

Unlike many problems solvable by coordinated actions, cyber attackers will reconvene and develop new challenges. The implication of this ever present type of threat is that organizations need a constant vigilance against such cyber-attacks….never abandoning cyber attention just because.

The conclusion of Global Nuclear Associates (GNA) is that this vigilance is a “Technology and More” situation needing to involve an organization’s entire workforce trained, motivated, and accountable to be involved in cyber security attention.

This value added end state becomes a defining culture. The integrated attention leading to this end state is summarized as a Functional Cyber Culture (FCC). Cyber intrusion can be a threat to safety, business continuity, and other existential impacts. Transformation into an FCC outcome is described as follows:

Key Attentions of a Cyber-Culture transition. Systematic activity and inclusion of cyber security as an overarching attention and culture of an organization involves attention to a variety of involvements and attributes each of which needs to be addressed rigorously. The following are familiar considerations needing unique attention in cyber space:

PEOPLE. Cyber-Culture involves a new attention by the entire workforce and also assurance that its supply chain shares such a vital attention to cyber security matters. The new involvements and commitments will vary depending on organizational function and individual responsibilities and job descriptions, which may be changed in accordance with cyber attentions and responsibilities. Effective accommodation of a new culture attention involves the persuasion and involvement of individuals to add to and/or change daily work attentions. Any change is difficult for most individuals…transformation into a new culture can be especially difficult since the change is a “quantum leap” in nature involving motivated accountability coupled with the proper skillsets.

Currently, “people” can be characterized as a potential source of intrusion problem rather than a successful defense element. Successful phishing by hackers for example is one of the more common success channels for cyber intrusion.

TECHNOLOGY. Cyber threats are also a matter of technological warfare calling for a defense that also is technological in nature. Related attentions can include vulnerability assessments for a threat spectrum regarding key assets, monitoring of threats, intrusion diagnostics, as well as information management and sharing determinations and technologies.

Organizations need to have the internal capability or vendor arrangements to assure timely and accurate detection of cyber intrusions attempts which can be as frequent as daily. Proper staffing and training that enables timely and accurate analysis and responsive measures needs to be a defining characteristic of critical asset cyber protection.

WORK MANAGEMENT. The leveraging of responsive technologies and an effectively trained and motivated work force achieves successful results only if deployed in comprehensive work management details. This element of cyber attention success is the ultimate manner in which workforce attention is accomplished. Each work process needs to be comprehensive in itself and the collective set of work processes needs to be responding to a spectrum of cyber implications. Work management that procedurally invokes cyber security attentions, content, and related communications will result in doing business that incorporates this concern into an “everyday” attention of the workforce.

Work management and its associated work process need to have the ownership of implementers, clear, concise, comprehensive and commonly understood. Implications involve, for example, job responsibilities that include, planning, and daily operations. decision making, administrative support. Example: a design decision that traditionally included cost, reliability, and safety now needs to be assessed for cyber security implications.

Success in Instilling a Cyber Culture: Attention to Detail. As with most major organizational endeavors, recognition of all that is needed to be done is a first step requirement:

Cyber Infrastructure Implications. The successful approach to an effective cyber-culture involves a confirmation and/or enhancement of features already existent in an organization. These are attributes and functions necessary for carrying forward the three major attentions mentioned above. We refer to these relevant functions as cyber infrastructure. The evaluations involve (1) general effectiveness of each of these ongoing practices and (2) the extent to which these practices properly reflect cyber content.

Some examples of what constitute this infrastructure include:
– Training                                                                                  – Information Sharing
– Policies                                                                                    – Organization Structure, Hiring Practices
– Procedures                                                                             – Enterprise Asset Management
– Communications                                                                  – Procurement
– IT, Risk and Vulnerability Tools                                       – Quality Assurance
– Regulatory Interfacing                                                        – Program Management

Phasing for Success. As with many transition/enhancement actions, a phased approach is proper. Three basic phases will involve: (1) a gap analysis/current condition assessment, resulting in recommendations supportive of people, technology, and work management elements and infrastructure reviews results and then (2) an implementation phase involving prioritized inclusion of phase (1) recommendations.

For cyber culture considerations, a phase three attention is uniquely vital for success. This attention involves assessing and committing to and assuring long term effectiveness of a successful cyber culture. Examples of vigilance of this particular long term vigilance include (1) cognizance of emerging new threats (2) relevant emerging defensive technologies, and (3) awareness of relevant emerging regulations and industry standards.

Teaming for Success. Based on the above systematic approach and proper attention to detail, the following collaboration of skill sets /specialties are needed for effective cyber culture-transformation:

(a) Cognizance of the current organization’s relevant functions and effective cyber treatment
(b) Cyber security assessment tasks and technology
(c) Organization transitioning
(d) Infrastructure specialists
(e) Program management and Integration

Conclusions/Summary. Cyber intrusion is a permanent threat to a wide range of organizations. The challenge is unique but effective approaches can be planned and executed involving a range of attentions. A “Technology and More” approach is needed for effective defense of critical assets. Success is contingent on persistent commitment for the entire workforce, achieved by embedding a cyber culture and assuring its long term sustainability.

Ken Ferguson (ferg2@att.net) is available to discuss in more detail the challenges and successful attention to functional cyber culture readiness of an organization.

 

 

 

Dr. Kenneth Ferguson has been involved in high profile initiatives for over forty years. A current affiliation and focus is as a technology Vice President including involvements in related program development and implementation. Responsibilities have included power generation, information technology and the petrochemical sector. A recurrent particiation has involved change management and transformation of organizations. Establishing effective cyber security programs is his current focus. Dr. Ferguson has collaborated, managed, and interfaced with a variety of organizations such as design, engineering, regulatory agencies, R&D, training, product development, systems and safety analysis and simulations tools development, as well as manufacturing and procurement organizations.

He has also been involved in the independent evaluation of the effectiveness of client organizations as well as evaluation of technology programs. Strategic planning involvements have involved the advising of the value of strategic planning, introduction of the methodology, and establishing a formal plan with related objectives, tasks, and related roles and responsibilities. He has a broad experience in organizing and participating on industry panels including award winning establishment of a workforce capacity building topic.

Dr. Ferguson has physics and engineering degrees from the University of Michigan(Ann Arbor) and Carnegie-Mellon University.

One Response

  1. Felix says:

    Dr. Kenneth Ferguson and I see this Blog as a collaborative effort in highlighting the importance of addressing the human factors associated with information security risks and how best to protect against intrusion and penetration. We believe that on ounce of prevention is worth a pound of cure. Eliminating compromise begins with training the workforce on what good behavior and good practices look like as oppose to relying a policy and procedures. However, we recognize the important of structured policies, such policies must endeavor to illustrate appropriate versus inappropriate.

What are your thoughts?