Building a cybersecurity program part 2 : Building a security culture & understanding the relat

by Paul Rostick

There are three significant challenges when building a cybersecurity program. They are 1) getting executive commitment, 2) building a security culture, and 3) understanding the relationship between resiliency vs. security. Last week we looked at Getting executive commitment. Let’s look at the last two in more detail in this blog.

Most companies already have a strong safety culture. We already know how to solve complicated problems around quality (e.g., zero defects as a goal), safety and environmental issues. We can use that knowledge and experience as the basis for developing a security culture.

Knowledge and culture around safety started changing in the 1980s due to accidents and new regulations. While many resisted the required changes, engineers were able to figure out how to make things both reliable and safe. It’s now an ingrained part of our culture. We’re at a similar early stage in terms of cybersecurity. Cyber needs to become an actual engineering discipline. It’s not something that the IT department can slap on at the end of a project. Bruce Schneier (a well-known security guru) stated “If you think technology can solve your security problems, then you don’t understand the problems, and you don’t understand the technology.” Engineering needs to own and solve the problem. A full-time collaborative group that reports at the board level will need to be created.

Resiliency vs Security

Individuals using free tools located thousands of miles away can bring down entire facilities. It’s much easier to attack than it is to defend. This is a very asymmetric battle. And the battlefield isn’t ‘out there’; it’s in your network and your plant. You’re fighting an essentially invisible enemy. It’s interesting to note that the average time to uncover a breach (how long someone may be lurking in your network) is 279 days, and 70% of the breaches are discovered by 3rd parties.

Pipeline leak detection can serve as a useful model for cyber. It’s necessary to identify, protect, detect, and respond to potential pipeline spills. You can’t ‘see’ into a pipeline, but there are ways to detect problems. The faster you can detect and respond to a problem can mean the difference between something minor and a catastrophe. Do everything you can not to have leaks, but plan, act and practice like you will have them. The exact same model and concepts apply for cyber.

You can’t build a wall around your systems and intruders will always be able to find a way in. The goal is to make your systems resilient enough to be able to withstand the inevitable hack. Michael Asante of the SANS Institute said, “Adversary groups are actively targeting facilities. You don’t get to choose if you are a target. You only get to choose how difficult a target you will be.” It’s important to have a plan.

See our aeCyber Solutions page for more information