One of the most important factors to success in combat missions is communication flow. During a mission, a special operations pilot will have to follow, at a minimum, four to five separate communication flows. Literally, four to five different sets of conversations focused on distinctly different aspects of the mission are taking place at the same time.
Why do I bring this up in a cybersecurity blog during cybersecurity awareness month?
Because like cybersecurity and IT, aviation and military operations are filled with processes and risk. Naturally most think “pilot checklist,” but the truth is the military has a long relationship with processes and checklists. Today, checklists are all over the place. There’s even a manifesto on them called The Checklist Manifesto: https://en.wikipedia.org/wiki/The_Checklist_Manifesto
But how much do they help, or hinder, an organization in developing cybersecurity awareness and resiliency?
The problem lies in the nature of processes and the nature of what is required for an organization to become cyber resilient.
A culture of cybersecurity awareness, which is a foundational requirement to a cyber-resilient organization, is not built on cyber security awareness training. If web-based training and phishing campaigns did the job, the military would need to do nothing more than plop its warriors in front of a monitor and put that trigger finger on a mouse.
People and cultures do not work that way.
Processes are well suited for specific types of activities: highly detailed, infrequently executed, and critical activities for example. However, processes are by definition limited in scope and embedded in something larger. Which is where “the process problem” creeps in.
Below is a pictorial example of the problem. It’s taken from NIST’s Cybersecurity Framework (CSF) document, and as a framework it does not seek to address in a holistic way the strategic and tactical aspects of information flows by design.
So what’s the problem?
The problem is what’s missing.
What’s missing are the management mechanisms to turn the multiple, isolated, communication flows within processes into a cohesive flow of information across management and senior executive levels at a cadence that builds cybersecurity awareness throughout the organization without negatively impacting the organization’s resources and operations.
Examples of such management level mechanisms are an Executive Cybersecurity Steering Committee and an Information Security Program. The key is ensuring the correct information is captured at the process level, and is communicated in a timely fashion and cadence complementary to business operations.
Without such management mechanisms, three damaging things happen. First, information does not effectively flow in a horizontal fashion within the organization. Second, no one in the organization believes cybersecurity is an organizational effort or concern. Why would they think otherwise? Cybersecurity is “that guy over there”, who is doing “cyber techy stuff.” Third, a cybersecurity minded culture never grows.
So that’s why I say there is a process problem in cybersecurity awareness–because most organizations have processes, but no management mechanisms to turn the information trapped in processes into organizational awareness.
If you are interested in learning more, please contact us at firstname.lastname@example.org and ask to speak to one of our Security Architects.