We obsess over tools and technologies when we should be focused on culture and commitment. In the recent Equifax breach, which affected more than 143 million people, a routine security patch was not applied to a critical server. In the Target breach, which cost that company over $200 million dollars, a vendor's remote access was not properly managed, and the information technology (IT) department ignored clear signs that the network was compromised. The Russian hackers who shut down the Ukrainian electric grid, affecting more than 80,000 customers, used phishing emails to trick users and steal their network accounts. And in what may be one of the scariest industrial security incidents so far, unknown hackers who compromised a Schneider Electric Triconex safety controller in Saudi Arabia reached their target because an engineering workstation was not properly isolated and secured.
Organizational failure
What these breaches, and thousands of others, have in common is this: They were not caused by a failure of technology-they were caused by a failure of the organization. You can be certain that all of these companies had some kind of cybersecurity policy, yet at the moment of greatest need, they were unable to defend themselves. We see this pattern again and again-without a foundational security culture mandated by a clear executive commitment, cybersecurity efforts continue to fail, often miserably, and at great cost. This should be unacceptable.
Why do we obsess over security controls and not over security culture? Because controls are easy, and culture is hard. Anyone can write policies; you can find free templates on the Internet. Buying tools are fun, and any competent technician can install them. We get a sense of accomplishing something.
Changing an organization's culture requires far more effort to accomplish and far more energy to sustain. Culture cannot be delegated to technicians-it is the responsibility of the C-suite. The irony is that we already learned this lesson from safety. We know that people will not necessarily behave safely. Left to human nature and the pressures of deadlines and costs, people, including management, take shortcuts, and soon people get hurt or worse. As a result, we do not just buy hardhats, we instil culture. "Do it safely, brother. Everyone goes home."
Because safety and security are two sides of the same coin, one would think we would pick up on this correlation more clearly. Though we earnestly write policies, install tools, do assessments, and try to implement controls-we see from these breaches that without the sustaining culture, these efforts will unravel, just like safety unravels without its sustaining culture. If you are responsible for security, you cannot be everywhere reviewing every design and counselling every technician, every integrator, every engineer, and every operator on the myriad security implications of every action. The culture itself must do this. Security awareness and knowledge and skills and commitment must pervade the very fabric of the organization-just like safety. As the saying goes, if it isn't secure, it isn't safe.
And what about new projects? When you raise a warning about a potentially insecure design, will anyone hear you over the din of the project deadline? The safety guy can throw the red flag-can you? Not without a security culture.
Culture and commitment
As someone who built an industrial cybersecurity program from scratch, I have these lessons burned into my brain. You cannot truly fix a problem if you treat symptoms. Only correcting the root cause will fix the problem permanently. The root cause of failure that led to all those breaches, and all the breaches yet to come, is the lack of a security culture and a corresponding executive commitment to make security a core competency. For security to be an organization's core competency, you need an executive sponsor and a champion (preferably the CEO) who will advocate for the appropriate governance, funding, staffing, and training to create a real security program alongside your real safety program. If your executive has not made a clear commitment to a security culture, then at the worst moment, the organization will likely fail as have so many others. No one should be surprised when that happens. In any complex endeavour, without the necessary foundations of success, failure is practically preordained.
Security is no exception.
I am not arguing against security controls, or tools or technologies, or policies or procedures or practices. They are necessary and critical-but they are not sufficient. They are not foundational. Security is not a thing; it is a management outcome, and there is no magic here: Culture and Commitment = Outcome.
By Paul Rostick
Content Credits: International Society for Automation
