Bridging the cybersecurity culture gap

9/16/16, 1:06 PMBridging the cybersecurity culture gap
Page 1 of 6http://fedscoop.com/bridging-the-cybersecurity-culture-gap
September 16, 2016
Bridging the cybersecurity
culture gap
Commentary: Organizations should consider how
the idea of workplace safety has evolved if they
want strategies for baking cybersecurity into their
culture.
BIO
By JR Reagan
MARCH 25, 2016 3:00 PM
"Safety First” signs seem almost cliché now — not so in the years prior to the Industrial
Revolution. (iStockphoto)
Everyone seems to be talking about “workplace culture” these days.
GUEST COLUMNS
Left wide open:
Encryption and the
public sector
CYBERSECURITY
Do we need a new
language to
describe
cybersecurity?
CYBERSECURITY
Why you can’t
decide (And what
to do about it)
GUEST COLUMNS
The innovator’s
mindset
RELATED ARTICLES
NEWS EVENTS TV RADIO PEOPLE SUBSCRIBE CHANGE SCOOP !"
SUBSCRIBE CONNECT WITH US

Although the concept has been around since the 1980s, businesses
and government agencies are now realizing the importance of “the
way we do things around here” to retaining valued employees and
adding value to the enterprise, according to a Deloitte University
Press report.
Now, some want to apply the concept to cybersecurity. Instilling a
“cybersecurity culture” could improve any organization’s ability to
safeguard its data, systems and networks, the theory goes. The
National Cyber Security Alliance calls for a “culture of awareness”
around cybersecurity in every workplace. But how do we make this
happen? How do we create a culture in our organizations in which
cybersecurity is a top priority at every level, from the boardroom to
the break room?
For clues, we might look to security’s cousin, safety.
Although preventing accidents at work is a given in most workplaces
today — so much so that “Safety First” signs seem almost
cliché — safety hasn’t always been a priority. Since the Industrial
Revolution, workplace safety has undergone a number of
transformations, with many injuries, deaths, and lessons learned
along the way. Accidents became the exception rather than the rule
only in the last 50 years or so, since organizations began examining
attitudes and perceptions around safety throughout the workplace,
and how they affect practices.
The Australian Radiation Protection and Nuclear Safety
Agency traces the evolution of safety in several stages, or “ages”:
The age of technology: Starting with the Industrial
Revolution some 250 years ago, machinery failures and flaws
bore most of the blame for workplace accidents. Engineers
strove to improve worker and plant safety by designing safer
technology.
The age of the human: After major accidents such as the
Three Mile Island nuclear meltdown in 1979 pointed to
human as well as technical deficiencies, engineers
began factoring the human into their designs, aimed at
correcting, compensating for, and even anticipating
mistakes.
The age of the organization: Disasters including an airplane
Cybersecurity Insights &
Perspectives
Invincea's Anup
Ghosh on using
machine learning
to improve
cybersecurity
detection
capabilities
Cybersecurity Insights &
Perspectives
Veracode's Chris
Wysopal talks
about the impact
of '90s hacker
think tank
Content from Sponsors
DHS' Vincent
Sritapan on federal
IT modernization
September 20, 2016
Leveraging Your
Workforce in the
New
Communications
Era
September 28, 2016
Privileged User &
Insider Threat
Federal 2016
Ponemon Survey
Findings
October 05, 2016
VIEW ALL
TV/RADIO
EVENTS

crash and an oil spill prompted a new look at assumptions
around safety — with people asking not only how these
accidents happened, but why. Human and even technical
failures were seen as the tip of the iceberg, indicating a lack of
leadership at the highest levels, prompting a focus on
improving an organization’s “safety culture.”
Evolving out risk
Researcher Philip Sutton lists four shifts in emphasis characterizing
the evolution of workplace safety culture:
From employee responsibility to management responsibility.
From post-accident coping to prevention.
From non-systematic management to whole-system
management.
From risk reduction to risk elimination.
When managers took up the safety mantle — establishing and
enforcing protocols around safety, providing worker training, and
encouraging supervisors and employees to report hazards
— accidents and injuries declined sharply. Eventually, most
organizations established strong workplace safety programs aiming
not just to minimize risk, but to eliminate it altogether, according to
report in the Huffington Post.
The impetus for these changes came from organized labor and laws,
but they succeeded only where top-level executives encouraged and
supported them. Studies have shown a direct correlation between
management commitment and worker safety.
In other words, to instill a culture of safety in any workplace, the
impetus must come from the highest levels — and the message must
be, “We are all in this together.” When every employee, from entry-
level to executive, feels a vested interest in their own safety as well as
that of colleagues and even the organization itself, then the goal of
“zero risk” may at last become attainable.
Could the same be true for cybersecurity?
The cybersecurity shift
October 05, 2016
What Hackers
Reveal About IT
Vulnerabilities
VIEW ALL

JR Reagan writes regularly for
FedScoop on technology, innovation
and cybersecurity issues.
In the “Technological Revolution” of
today, new technologies have exposed
our workplaces and employees to new
threats —of identity theft; data theft
and manipulation; compromises of
confidential, even proprietary
information, and more.
Initially, organizations focused on
improving the technology with
firewalls, anti-virus software, malware
scanners and other “fixes.” Then,
however, hackers began using
phishing and social-engineering
schemes to gain access to systems,
requiring a shift in focus to the humans using them.
As large-scale breaches continue, however, cybersecurity, too, may
need a cultural shift — one that, like successful safety cultures, is
designed around processes, not functions; is inclusive and
collaborative across all departments, offices, and levels; encourages
and incentivizes shared responsibility, and retains flexibility,
allowing us to learn, change, and grow.
Changing a workplace’s culture can be daunting, especially across
multiple agencies or locations. But, as advances in workplace safety
show, it’s doable with support from the top — and the “trickle-down”
effect, resulting in buy-in at every level, may help us not only to
reduce risk, but to eliminate it.
As we look toward the future — a continual mandate in the
cybersecurity profession — we would do well to consider the lessons
of the past, and what has worked in other realms such as
organizational safety, and safety culture. How can we rally our
workforces around cybersecurity in a way that goes to the very heart
of our organizations — to the culture that defines us?
JR Reagan is the global chief information security officer of Deloitte. He
also serves as professional faculty at Johns Hopkins, Cornell and Columbia
universities. Follow him @IdeaXplorer. Read more from JR Reagan.

-Explore Stories in Commentary-
NEWS > COMMENTARY
-In this Story-
Tech, Cybersecurity, Commentary, Guest Columns
Stay alert to all the latest government IT news.
SIGN UP TODAY
0 Comments FedScoop SherryJones!
Share⤤ Sort by Best
Start the discussion…
Be the ﬁrst to comment.
Subscribe✉ Add Disqus to your site Add Disqus Addd Privacy%
Recommend♥ 2
JOIN THE CONVERSATION
ABOUT / CONTACT LEADERSHIP TEAM EDITORIAL TEAM
CONTRIBUTE CAREERS
3 top change
management
missteps — and
how to avoid them
Left wide open:
Encryption and
the public sector
The secret to a
strong cyber
defense: Talk
about it

Bridging the cybersecurity culture gap

More Related Content

What's hot

Viewers also liked

Similar to Bridging the cybersecurity culture gap

More from Sherry Jones

Bridging the cybersecurity culture gap