Hello welcome back to “Are you mind fit for cybersecurity?” with Johannes Drooghaag, or JD for short because it’s a lot easier, and Neville Gaunt. In this particular session we’re going to be covering the business angle. You know one of the biggest problems in businesses is that they get hung up with this word cybersecurity and it freezes the business. And more importantly it tends to be pushed into the IT department. “It’s your problem it’s not mine”. So, JD why do you believe cybersecurity is a leadership challenge and much less a matter of having the right technology? So that to me seems to be where we really need to start this conversation.
Yes, I agree with you. We need to start with that conversation Neville, because as you mentioned there’s a lot of Technology and there’s a lot of technology involved, and we keep upgrading that technology, but we keep forgetting that it’s human beings working with that technology. They need to be comfortable with what they can and what they cannot do and the thing to explain it best is that I always compare it to a car. I can buy a car with fantastic safety features, airbags, sensors, autonomous driving, artificial intelligence to detect dangerous situations but it’s still me as a driver being responsible for safely driving with that car. My favorite example is I bought a couple of years ago a, I will not mention the label because I don’t want to make advertisement for anyone, but a car (we are not getting paid for this). So I bought a car with a lot of safety features, it was really one of the safest cars I’ve ever driven and I felt very safe in that car. That car weighed about two thousand five hundred kilogram and I was moving that enormous heavy car through traffic. All the safety features do not allow me to go a hundred twenty in a thirty song and why is that thirty zone there? Yeah well maybe there’s a school, maybe the kids playing, maybe there’s a dangerous situation, a corner I cannot see. My safety features which is the technical gadget, right, still put the responsibility for safe driving, for taking my responsibility in traffic in my hands. Now if we flip that around and we say “the cyber technology”, then suddenly we start thinking in patterns of “there is an IT department, they should solve it”. So now suddenly we’re using technology and we say “no somebody else has to do that”, and that needs to change, and it needs to change throughout the organization. And any organizational change from my perspective and I know that you share that perspective, starts with leadership.
Yeah, you’re absolutely right and I think your analogy comparing it with cybersecurity with traffic safety is a really good analogy and it’s something that we can all understand. You know when I get in the car I know that if I drive to the capability of the car and obey the law the traffic laws then I’m gonna be safe, and unless there’s some other idiot, you know comes up. But do you think if we look at that as initiative of cybersecurity, that a driver’s license would help organizations and employees?
it definitely will but not a driver’s license like it is for example in Germany, you pass the exam once and you will never ever after have to do anything again. A driver’s license which gives you the foundation of understanding what you should and you shouldn’t do, and then in a, I would almost say in a playful manner and not just like a questionnaire, but in a playful manner keep updating that information. Making sure that the new traffic rules for the cyber security environment, that you know them, that you understand them, that you know how to deal with it. There’s one thing that I always use in my workshops. If we change the rules of traffic, we announce that. There is first political discussions and then we announce it to the public, and we have enormous campaigns to make sure that everybody understand those rules, and then there is even a gray period, where we say well you should have been doing this since August first but, we close one eye and we let you get away with it, and then finally it’s the new final rule. When we look at cyber security, technology changes on a daily basis. Threats, you have hundreds of thousands of new threats, in basically on a daily basis. You cannot work with one license you had twenty years ago, right, that that’s not up to date. So yes a certification or training or a license but also an active program that keeps you up to speed with the new technology because we keep getting new technology. You and I were not aware of a cloud ten years ago although it was already on the network drawings as a cloud but we didn’t call it a cloud. Now everybody is in the cloud so what does it help me when I have my 20 years old cyber driver’s license right? Keep that knowledge active, keep people involved, also a very important part and help them understand that cyber security starts with them and between their ears as you always say
It’s that five inches that we’ve all got between ears. So, let me just sum it up because I just like to keep this first session, you know, fairly short. You say technology is important but leadership has to promote the responsible use of technology. Training is absolutely fundamental of employees, not just as a one-off but as an ongoing issue. On the current challenges because those challenges are going to change over time, and it’s not just the employees in IT, it’s anyone using technology. Even from, you know, your checking card in a morning that opens the gates and allow you to either park the car or get into the building. So finally then, cyber security is about responsibility of all leaders, not just one specific element, not the chief exec, or the CIO or the CTO, and then it’s a responsibility of all of the employees. Can you give some recommendations before we close, for actions which every organization can implement, so just some simple overview?
Well the first thing I would recommend is get a full scan of what you actually have as technology, and secondly get a full scan of what your organization actually knows about that technology. Where are the weaknesses, where do you lack information? Is everybody aware of all the tools, how to use them, how to not use them? Are they making it, you can even look at the efficiency of how they use them because when they lack knowledge in one area they will probably also lack knowledge in the other area. Then I recommend to move away as soon as possible from this annual compliance orientated training method because that doesn’t help you at all. Get a dynamic almost gamification like training program installed and make sure that your entire team from the executives to everybody in your organization is actively involved in staying up to speed with the cyber opportunities and the cyber risk, and that together forms the cybersecurity.
Brilliant, brilliant. I mean that’s, I think, that’s probably a good place where they can start and there’s a fair amount of work that they need to do there but like anything else you’ve got to start on this road and really get it right, and stop compartmentalizing it into part of the business that interestingly enough probably doesn’t understand your business. They’re there to keep the machines running, typically. But anyway, thanks very much for this first session I hope everyone’s appreciated what route we’re going down. Here you’ve got a route plan that we’ve already identified for you and we look forward to seeing you on the next “is your mind fit for cyber security”.