Winter 2020 Issue

Ilia Kolochenko, CEO of High-Tech Bridge (now ImmuniWeb), an award-winning cyber security company, said “Something is very wrong with cyber security”. One challenge with cyber security today is that many organizations believe it’s only about the technology. In reality much more is involved; consideration of the human and process, management and governance elements are often missed by senior leadership. Cyber Safety Culture is essential to fill this gap.

The cyber security industry is in need of a major re-think. Billions are spent on thousands of technology products while criminals continue to profit from cyber-attacks. Equifax and Capital One are just two dismaying examples. Why do security breaches of private customer data like this continue given the resources that large companies have to combat cyberattacks? Is it just the cost-benefit analysis? Some suggest that it is cheaper to pay for the effects of a breach than to prevent one. This is not a legitimate perspective when it comes to our identifiable confidential data.

A quick Google search generates some very concerning statistics indicating two sectors of the cyber economy that are doing very well. One is cyber security products and the other is hackers. Worldwide spending on cybersecurity is estimated to top $1 trillion for the five-year period from 2017 to 2021, according to Cybersecurity Ventures (Herjavec Group). Gartner estimated $93 billion for 2018 and predicts 12%-15% annual cyber market growth. As early as 2013, the Europol Serious and Organized Threat Assessment reported that cybercrime was more profitable than the illegal drug trade globally. Barracuda reported that in 2016 one unknown ransomware actor made $94 million in profit. Cybercriminals could be raking in profits up to 20 times greater than the cost of their attacks, according to 2014 figures compiled by Kaspersky Lab experts. They compared the cost of the most frequently used hacker tools with the money stolen in a successful malicious operation.

How is it possible that losses are getting bigger in spite of the billions devoted to cyber security products? Why do the risk and exposure continue to increase? A likely explanation is the Innovation-Adoption Life Cycle, which describes four phases typically experienced by innovation adaptors:  the “Technology Trigger”, the “Trough of Disillusionment”, the “Slope of Enlightenment”, and the “Plateau of Productivity”. The dismal results in defending cybercrime mean that innovators, who had the courage and foresight to jump into cyber security as early adaptors, are currently experiencing the “Trough of Disillusionment”.

We can extrapolate this to explain the general consternation in the market worldwide. The chart below, based on the adaptation of the Technology Adoption Curve in Geoffrey Moore’s book Crossing the Chasm, was published by Christopher Burke in Quora in July 2014. It clearly illustrates where we are in the Cyber Security marketplace:

Why are we stuck in this chasm? There are several factors contributing to this predicament:

  • There is shocking apathy about cyber security risk in many companies at the C-Suite and board levels. Digital skills are still absent from many board director skill matrices and recruiting profiles. I assume it’s the “It won’t happen to me syndrome”, or “My IT guy has it all covered”, or “What do we have that they want?” The ransomware attacks on non-profit organizations show just how misguided these views are.
  • Lots of money is spent on technical solutions instead of the larger cultural problem because technology is cool and process stuff is often considered uninteresting or unimportant.
  • There is dangerous separation of security into logical and physical realms, leaving cavernous holes for cyber criminals to exploit. Your physical security systems, video cameras, door management systems, key fobs etc. are prime targets for hackers. As the Internet of Things grows, so do opportunities for the bad guys.
  • Many cyber security implementations separate strategy from execution – they don’t sweat the details – leading to missed objectives.
  • Sustained culture change is difficult. Many leaders and managers would rather hide behind IT than face the problem head on.
  • For those who recognize the risk, the noise in the cyber security marketplace is overwhelming, which makes decision making difficult and confusing for buyers. Where does one look to solve this problem? Cyber security information is written in technical language that confuses business executives and is directed at an elite few in “the cyber industrial complex”. There are literally thousands of cyber security technology solutions, all claiming to have the answer. We have “a thousand points of light with no illumination!”

Something has to Change, Right?
Conventional wisdom is that we are losing the cyber security battle. An IBM and Ponemon Institute study in 2016 noted cyber resilience was dropping. They said 66% of organizations won’t recover from a cyberattack, a concerning prediction. Cyber experts are now saying “prevention is futile” and that it’s all about resilience, response, and recovery. They warn that focus on only blocking entry is misguided. Their view is that the crooks are already inside, so companies need to find them and stop them from getting out with their data.

The good news is that there is a growing awareness of the risk among corporate leaders. Cyber risk was ranked number two of all risks by CEOs in the KPMG 2018 Global CEO Outlook. Some experts believe the former dismal outlook is improving slightly as companies are waking up to the likelihood of an attack.

It’s possible that we could be looking at cyber security the wrong way, and many organizations’ focus on building higher and stronger walls is only one piece of the puzzle. It’s time to think differently about cyber security.

Safety Culture Works
So, how should we look at cyber security? Kolochenko also said "Cyber security is not rocket science. Begin by doing the right things right and keeping things simple. Doing the right things right means bringing people, their behaviours and the processes they follow into the picture.” Keeping things simple means a combination of easy-to-follow processes and a dose of common sense.

Our research has found common examples of safety culture in several industries. We can learn from them and apply them to transition to a Cyber Safety Culture.

As early as 2012, it was identified by the Australian DOD Cyber Security Operations Centre that 85% of cybercrime could be mitigated from what are called the cyber security “hygiene” factors. Bad hygiene includes sloppy password protection, inaccurate counts of computer assets and poor patch control. Countering these behaviours is very effective and relatively simple. Would you agree this is an astonishing number given the current focus on expensive complex technology solutions?

A colleague told me a story about hospitals in Australia trying to combat the spread of the flu by educating the public using detailed rational scientific explanations about viruses. Nothing happened. So, they gave up on that and launched a “Wash Your Hands” campaign and infection rates plummeted. This is now ingrained in our habits and culture. It is simple, straightforward, cost effective and it works. This demonstrates the power of culture change – the same concept that we need to combat cybercrime.

This story inspired me to promote Cyber Safety Culture. I believe Cyber Safety Culture is the missing link in our current approach and is the fundamental change required to combat cybercrime more effectively. And we have to build it collaboratively everywhere – not just in North America but around the world.

Creating a Cyber Safety Culture
“Never take candy from a stranger”. These words cite a hugely powerful cultural norm in our society – “stranger danger” – that we have adopted to educate our kids to keep them safe. This is a great example of ingrained safety culture; ubiquitously understood and second-nature in our kids’ awareness and behaviour. What exactly do we mean by a Cyber Safety Culture and how do you build one?

In a nutshell:

  • Understand your company’s cyber vulnerabilities in order to measure and manage risk through awareness, trust, education, intelligent pro-active processes, and common sense.
  • Provide a flexible, adaptable, integrated, coordinated, multimedia, multi-channel suite of processes, systems, and communications to engage personnel and transform your corporate culture.
  • Create and promote this culture in organizations by engaging everyone from the mailroom attendant through the C-suite up to the Board.

The market needs leaders who will use this new approach, leaders who know the status quo is not an option. Here’s what you must do:

  • Cut through the noise of the cyber industrial complex.
  • Present the risks clearly and accurately in simple business terms.
  • Provide solutions that are accessible and understandable.
  • Provide solutions that are affordable and as non-disruptive as possible.
  • Provide solutions that find the balance between running a business efficiently while making that business secure.

In short, leaders need to create a Cyber Safety Culture.

A part 2 of this series on cybersecurity, focusing on implementation of a Cyber Safety Culture, will be published in an upcoming issue of Consult.

Janet Cloud is Co-Founder and COO of Smashblock, a high-tech startup.  She is a board director and accomplished senior technology and operations executive with global experience in medium to large companies. She was VP Operations & Technology at Advantage Group International, where she delivered digital products world-wide.  She spent 10 years as EVP at TNS Canada/TNS U.S. (TNS Global) running Operations, Technology and transformational cross-border initiatives.   With broad experience in banking, securities, consulting, B2B relationship management, market research, technology and digital products, Janet has transformed global organizations by inspiring high-performance teams executing digital innovation. For more information, visit: