There are magnificent examples of organisations succeeding at cyber security in an environment where most others are failing – and they have done so without any extra investment. The $64,000 question is: How? As Martin Smith states, it’s all about culture change from within
Nearly a decade ago my dear father died after several grim weeks at our local hospital where he was being treated for terminal cancer. Keep going, loyal reader of Risk UK, as I will duly explain how this applies to the state of cyber security in the year 2014.
We were all heartbroken, of course, not just because of Dad’s passing but mainly due to the miserable experiences of his dying days while in the hands of the NHS. My father was a proud man – intelligent and perceptive, gentle and uncomplaining in equal measure – and deserved far better than the care on offer.
My perception was that staff at all levels seemed simply not to care. It was clear they’d given up, not just with my Dad but with the system. You could smell the despair in the air. The hopelessness was seemingly all-embracing and the inertia complete.
Complete and profound change
Wind the clock forward to today. Over the past two years my dear and now very elderly mother has suffered a series of small heart attacks. As a result, she has been admitted six times as an emergency patient into the very same hospital.
Accordingly, my mother has experienced (and I’ve witnessed in detail) the full process from ambulance to casualty to medical assessment to ward admission and on through healing to discharge and follow-up care.
The change at the hospital is both complete and profound. It’s hard to believe this is the same place. The treatment of my mother has been exemplary, not just sporadically but consistently on each admission and at every stage of the process.
I’ve been able to spend days with my mother, keeping her company and just observing and listening to staff and patients alike. Culture change is my business, so my professional antennae have been fully extended.
Given the universally despondent reports in the national press about the present state of the NHS, I was finding it difficult to reconcile the difference between what I had previously experienced, what I was expecting and what I was now seeing.
The members of staff are happy. The whole atmosphere is one of optimism and positivity. Change is evident everywhere. The nurses really care, and smile at both each other and at their patients and visitors. Doctors take time to speak with their patients and explain to them what’s going on. Care assistants perform their ancillary duties diligently.
What has changed, why and how? My mother might be seen by some as just another old lady with a failing heart who makes no fuss. She’s certainly no exception to the norm. It’s just that the system now embraces her and all the other patients at this particular hospital. They are recognised as customers and treated accordingly. It looks like the same hospital, with mainly the same staff and resources and the same budget, but clearly the whole culture has been dramatically altered for the better. I cannot imagine this scenario has been easily or quickly achieved, but the difference is most certainly overwhelming.
Reports in the national news often indicate widespread failures in the NHS across the whole country despite the vast and increasing sums of money thrown at it, and there’s little obvious sign that things are changing for the better. Of course, my local hospital is still struggling to deal with the ongoing pressures placed upon it, but the place absolutely serves as a shining example of how failings can be addressed without just throwing more money and managers at them.
The senior management has changed the culture. They have empowered the doctors and carers. They’ve made great efforts to communicate with staff and patients alike, and they’ve included the patients within their own treatment regimes. They have removed layers of management and silos of specialism such that everyone works as an integrated team.
This same lesson applies to cyber security in 2014. Cyber security still has insufficient profile and status among Board members despite their own obvious concerns. Notwithstanding the vast and increasing sums of money being directed towards this issue, our vulnerabilities to cyber attack continue to grow both at home and at work, as individuals or as corporations. The levels of e-crime continue to rise.
Data breaches and ID theft
Data breaches occur with increasing monotony and do great harm. International and industrial espionage is rife. Privacy is becoming a thing of the past. ID theft is commonplace while the threat to our children from grooming and our society at large from online pornography – and worse – grows on a daily basis.
The cyber security sector is fooling no-one except itself that things are alright. Our Boards are despairing at online safety and security in the same way that the public is despairing at the state of the NHS. Trust in cyber space was always a fragile thing anyway, but it’s being constantly bombarded and damaged by reports in the media of one breach after another.
Similarly, trust in organisations’ cyber security functions was always going to be a fragile thing, but what little traction it had is – in so many cases – being eroded on a daily basis. No matter how much money Boards throw at cyber security, their companies are still very likely to appear in tomorrow’s newspapers. Each day that they don’t make the headlines is not a day that their cyber security efforts have succeeded, but simply another day nearer the one when they will suffer a breach and thus make the headlines.
So many of these problems can so easily be overcome and trust restored. As is the case with the hospital and its improvements, there are magnificent examples of organisations succeeding at cyber security in an environment where most others are failing – and they have done so without any extra investment.
Part of ‘business as usual’
The difference – the only difference, in my humble opinion – is their culture. They have made cyber security part of ‘business as usual’. They have shown how good security can be a business enabler rather than just a cost on the bottom line. They have proven that it is indeed possible to gain by not losing. They have brought cyber security from the periphery and the shadows into the centre of the business stage, and they have merged it (and all other security functions) into a single risk management organisation – embracing the ‘convergence agenda’.
They’ve educated their workforces about the basics of cyber security (so-called ‘cyber hygiene’), empowering them both to protect their own data and systems and to report problems easily and quickly. Like my local hospital, these enterprises have stopped doing more of the same and instead looked sideways at how they can make what they already do so much more effective.
Like my local hospital, they have profoundly changed their cultures by taking time to communicate properly with everyone in the system – members of staff and customers alike. This last factor has been the key. It’s the single factor that has flipped the coin.
Like my hospital, they are a work in progress. There is still much to be done and many benefits still to be gained. If it can be done at these organisations, why not everywhere? The answer lies within our own power to change.
The fact that the cyber security industry still cannot – or will not – accept this, well… It’s enough to make a grown man cry.
Martin Smith MBE FSyI is Chairman and Founder of The Security Company (International) and the Security Awareness Special Interest Group