Changing the culture of ‘cyber’

There are magnificent examples of organisations succeeding at cyber security in an environment where most others are failing – and they have done so without any extra investment. The $64,000 question is: How? As Martin Smith states, it’s all about culture change from within

Nearly a decade ago my dear father died after several grim weeks at our local hospital where he was being treated for terminal cancer. Keep going, loyal reader of Risk UK, as I will duly explain how this applies to the state of cyber security in the year 2014.

We were all heartbroken, of course, not just because of Dad’s passing but mainly due to the miserable experiences of his dying days while in the hands of the NHS. My father was a proud man – intelligent and perceptive, gentle and uncomplaining in equal measure – and deserved far better than the care on offer.

My perception was that staff at all levels seemed simply not to care. It was clear they’d given up, not just with my Dad but with the system. You could smell the despair in the air. The hopelessness was seemingly all-embracing and the inertia complete.

Complete and profound change

Wind the clock forward to today. Over the past two years my dear and now very elderly mother has suffered a series of small heart attacks. As a result, she has been admitted six times as an emergency patient into the very same hospital.

Accordingly, my mother has experienced (and I’ve witnessed in detail) the full process from ambulance to casualty to medical assessment to ward admission and on through healing to discharge and follow-up care.

The change at the hospital is both complete and profound. It’s hard to believe this is the same place. The treatment of my mother has been exemplary, not just sporadically but consistently on each admission and at every stage of the process.

I’ve been able to spend days with my mother, keeping her company and just observing and listening to staff and patients alike. Culture change is my business, so my professional antennae have been fully extended.

Given the universally despondent reports in the national press about the present state of the NHS, I was finding it difficult to reconcile the difference between what I had previously experienced, what I was expecting and what I was now seeing.

The members of staff are happy. The whole atmosphere is one of optimism and positivity. Change is evident everywhere. The nurses really care, and smile at both each other and at their patients and visitors. Doctors take time to speak with their patients and explain to them what’s going on. Care assistants perform their ancillary duties diligently.

What has changed, why and how? My mother might be seen by some as just another old lady with a failing heart who makes no fuss. She’s certainly no exception to the norm. It’s just that the system now embraces her and all the other patients at this particular hospital. They are recognised as customers and treated accordingly. It looks like the same hospital, with mainly the same staff and resources and the same budget, but clearly the whole culture has been dramatically altered for the better. I cannot imagine this scenario has been easily or quickly achieved, but the difference is most certainly overwhelming.

Reports in the national news often indicate widespread failures in the NHS across the whole country despite the vast and increasing sums of money thrown at it, and there’s little obvious sign that things are changing for the better. Of course, my local hospital is still struggling to deal with the ongoing pressures placed upon it, but the place absolutely serves as a shining example of how failings can be addressed without just throwing more money and managers at them.

The senior management has changed the culture. They have empowered the doctors and carers. They’ve made great efforts to communicate with staff and patients alike, and they’ve included the patients within their own treatment regimes. They have removed layers of management and silos of specialism such that everyone works as an integrated team.

This same lesson applies to cyber security in 2014. Cyber security still has insufficient profile and status among Board members despite their own obvious concerns. Notwithstanding the vast and increasing sums of money being directed towards this issue, our vulnerabilities to cyber attack continue to grow both at home and at work, as individuals or as corporations. The levels of e-crime continue to rise.

Data breaches and ID theft

Data breaches occur with increasing monotony and do great harm. International and industrial espionage is rife. Privacy is becoming a thing of the past. ID theft is commonplace while the threat to our children from grooming and our society at large from online pornography – and worse – grows on a daily basis.

The cyber security sector is fooling no-one except itself that things are alright. Our Boards are despairing at online safety and security in the same way that the public is despairing at the state of the NHS. Trust in cyber space was always a fragile thing anyway, but it’s being constantly bombarded and damaged by reports in the media of one breach after another.

Similarly, trust in organisations’ cyber security functions was always going to be a fragile thing, but what little traction it had is – in so many cases – being eroded on a daily basis. No matter how much money Boards throw at cyber security, their companies are still very likely to appear in tomorrow’s newspapers. Each day that they don’t make the headlines is not a day that their cyber security efforts have succeeded, but simply another day nearer the one when they will suffer a breach and thus make the headlines.

So many of these problems can so easily be overcome and trust restored. As is the case with the hospital and its improvements, there are magnificent examples of organisations succeeding at cyber security in an environment where most others are failing – and they have done so without any extra investment.

Part of ‘business as usual’

The difference – the only difference, in my humble opinion – is their culture. They have made cyber security part of ‘business as usual’. They have shown how good security can be a business enabler rather than just a cost on the bottom line. They have proven that it is indeed possible to gain by not losing. They have brought cyber security from the periphery and the shadows into the centre of the business stage, and they have merged it (and all other security functions) into a single risk management organisation – embracing the ‘convergence agenda’.

Martin Smith MBE

Martin Smith MBE

They’ve educated their workforces about the basics of cyber security (so-called ‘cyber hygiene’), empowering them both to protect their own data and systems and to report problems easily and quickly. Like my local hospital, these enterprises have stopped doing more of the same and instead looked sideways at how they can make what they already do so much more effective.

Like my local hospital, they have profoundly changed their cultures by taking time to communicate properly with everyone in the system – members of staff and customers alike. This last factor has been the key. It’s the single factor that has flipped the coin.

Like my hospital, they are a work in progress. There is still much to be done and many benefits still to be gained. If it can be done at these organisations, why not everywhere? The answer lies within our own power to change.

The fact that the cyber security industry still cannot – or will not – accept this, well… It’s enough to make a grown man cry.

Martin Smith MBE FSyI is Chairman and Founder of The Security Company (International) and the Security Awareness Special Interest Group

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts