One of the things I always enjoyed doing is making connections between people and introducing different worlds for building understanding and finding common ground.
Imagine my excitement when I got introduced to Professor Dave Chatterjee and his work on building cyber security readiness across people, processes, and technology. Professor Chatterjee invited me to his cyber security readiness podcast to speak about building emotional firewalls.
We had an honest conversation about correctly framing this topic as he was intrigued by the name, but how does it relate to cyber security readiness? Professor Chatterjee has a high work ethic and passion for what he does. We worked together to prepare a conversation that would add value to his community and listener, where practicality without complexity and fear-mongering prevails.
I remember Professor Chatterjee being adamant in making our episode tangible and relatable to his audience, listeners, and anyone unfamiliar with emotional intelligence and the human factor of cyber security. And this is why I enjoyed reading his book with great pleasure and interest. Professor Chatterjee has a way of writing that keeps his readers engaged but not bored, alert but not fearful.
When we read the headlines, cyber is all over the place and can cause high levels of fear. Fear for the unknown, fear of uncertainty while wondering what if this happens to us? Here is where communication and building understanding comes in.
Many cyber practitioners or organizations focus on building awareness, but awareness without understanding won’t reduce fear levels or get people to do things differently with a security-first mindset.
Awareness is the perception of cyber threats posing a significant risk on business continuity, but understanding is translating those risks in people’s map of the world with knowledge. The number one reason people feel fear is the lack of the unknown. But suppose we focus on mitigating the unknown with knowledge and building understanding with practical recommendations and feasible implementation strategies. In that case, that is when we can truly begin to build a healthy cyber security culture.
Professor Chatterjee’s book is a fascinating and insightful read that does precisely this. The book is filled with practical case studies examining the cyber risk of large corporations such as Equifax to the world of small businesses and the start-up world. After every chapter, he summarizes his findings through guiding questions to help readers reflect and assess their cyber security maturity strategies. His critical success factors are rooted in three fundamental pillars: Commitment, Preparedness, and Discipline, which start with the information security culture.
Strategy eats culture for breakfast.
“For cyber security governance to be effective, organizational members must be willing to comply with the policy guidelines and the various control mechanisms. Research finds that positive compliance behaviors are dependent on cultural factors such as subjective norms, organizational values, and expectations. The company culture must emphasize and value cybersecurity for organizations to sustain an effective and long-term defense campaign.” – Professor Chatterjee
We all heard of the saying culture eats strategy for breakfast, which could not be farther from today’s truth. Strategy alone won’t build a culture where every layer of your workforce every stakeholder is implementing basic cyber hygiene practices. This is not easy, nor is it linear, and Professor Chatterjee goes into depth about the building blocks for successful top-down leadership in his first pillar for success, commitment.
Commitment: leading people out of their comfort zone
Professor Chatterjee’s book is filled with case studies and rigorous research. But words alone won’t get people to do things differently at work. Why would someone who perceives cyber security measures as a burden leave their comfort zone if there is no commitment from the top leadership? How does an organization implement and uphold accountability so people understand and grasp the importance of securing their user environment and behaviors?
“Organizations with successful cybersecurity cultures tend to have C-suite executives who reinforce behavioural norms when lead by example.” ISACA 2018 report.
Yet, as Professor Chatterjee mentions in his book, surveys reveal that only 40% of C-level executives have an in-depth understanding of cybersecurity protocols. This may raise many eyebrows, and for me, begs the question: How is cyber risk communicated as the fragile foundation that can cause significant business disruption in the digital age?
Tackle uncertainty head-on with preparedness
This leads me to his second pillar for success which is preparedness. In NATO, we were either in conflict or preparing to be in conflict. Therefore, preparedness was a significant part of our organizational posture. Scheduled civil and military exercises were planned months and even years ahead of time with wargaming, scenario simulations, and a diverse ecosystem of stakeholders across the public and private sectors. Cyber was never an afterthought but was perceived as the technical anatomy for NATO’s digital footprint. A footprint that protects the lives of more than 1Billion citizens across the transatlantic landscape.
We are painfully reminded how fragile our freedom can be with the current rising tensions and recent developments on Ukraine’s burden. What is more concerning are the psychological warfare and cyberattacks to weaken western democracy and national economies through business disruption tactics. So preparedness is no longer an option but a must. Answering the “what if” questions through simulations, scenario planning, and a stern look in the organizational mirror is the only way to build preparedness and cyber resilience fit for the digital age.
Stay the course with discipline
But building resilience alone is not enough without discipline. Change is constant, and transformation is never linear. When things don’t work out as planned, having a solid change management model with agile processes is critical to maintaining a disciplined approach.
“Planning and execution discipline is key to sustaining a high level of cyber readiness. An organization must have the discipline not only of planning rigorously but also of meticulously executing the plan.” – Professor Chatterjee.
Execution is essential as a plan without implementation, and experimentation is just a plan on paper. An effective blocker for discipline, in my personal view, is processes and personalities. But unfortunately, processes rooted in legacy culture and systems are not fit for a world of constant connectivity and vulnerability.
“Insanity is doing the same thing over and over again and expecting different results.” – Albert Einstein.
Having a curious, critical, and growth mindset is at heart for building cyber security readiness and the discipline required to keep moving forward, innovating when things are not working, and having security ingrained in every part of the processes as an enabler will yield long-term results. Professor Chatterjee’s book is filled with examples of the alternative when cyber security readiness is not valued enough or seen as an essential business risk with dire consequences.
Fortunately, his practical recommendations and risk assessment questions can help any organization, whether a large corporation or a small business start to implement cyber security readiness strategies fit for the digital age.