In a previous blog, we discussed Commander’s Intent for CEOs and introduced 10 questions CEOs should be asking their teams.
In this blog series, I am going to take a deeper dive into each question and break them down one at a time. We will discuss why CEOs should care about each question and the type of answers teams should be providing.
This week we dive into the question:
“Do we have a training and awareness program in place?”
When I work with CEOs, I like to use a safety program within an organization as a parallel to a cybersecurity program. There are a number of industries where having a safety program is required. While NOT required by all industries it’s a good idea for all companies to have one.
A Plan for Safety
I once had a manager who formerly managed a safety program for a small trucking firm. The company had under-invested in its prevention of accidents, training and awareness, and managing driver sleep time between shifts. The risk of under investment was raised numerous times without appropriate action taken. An incident finally occurred involving a gas truck, an overpass, and a Volvo heading home. The results of this accident were devastating.
A cyber incident can have very kinetic results including loss of life, loss of customers, damaged reputation, stolen data, business up-time or a class action lawsuit. The threat of a cyberattack is very real. Ensuring your employees are aware and understand their role in securing your organization is a great way to decrease your risk of an incident.
(Side note: the trucking firm went out of business as a result of litigation. This was an actual worst-case scenario for them.)
Safety is a program that requires management and training. It’s a culture in an organization.
Companies with a culture of safety make it visible to the entire organization. We don’t often do the same with cybersecurity.
To create a culture of safety in an organization, time and resources are spent to ensure people are properly equipped and trained in procedures and understand how to prevent incidents, as well as what to do in the event of an incident.
In the Marine Corps, safety is drilled over and over but they also have videos and training. They show you the accidents. They talk about what went right and what went wrong. You drill in the scenarios. One thing sticks out to be regarding safety planning when I was stationed on an aircraft carrier as a Marine. We first watched a video of the U.S.S. Forrestal blazing away as a jet-fuel fire began lighting off live ammunition. That video led to endless fire fighting simulation drills. Yes, as a Marine, I threw on fire fighting gear and grabbed hoses. Even the Marines had a job fire fighting in the event of a fire. It was part of our culture on board and part of our daily lives. Incidentally, we later had two fires: an F-18 that caught the wrong wire and an on-board fire. Neither resulted in anything more than a bit more training and no loss of life. Training and constant awareness works.
These are all qualities that a cybersecurity program should share. Safety is everyone’s responsibility. So is cybersecurity. As the CEO, you don’t need to know all of the ins and outs of the program, but knowing if everyone in the organization has gone through it is a good start. Your team should also have specific training for you, the executive team, and the board. You should go through the training and ask any questions that come up. Your team should be constantly educating the entire organization to help ensure your Commander’s Intent for Cyber Security is being carried out.
To create the culture in your organization you, as the leader, should find a way to communicate the importance of cybersecurity. Start by filming a video message and sharing with your employees.
People are the key to any successful organization. People are also the key to a successful cybersecurity program. Ensuring they are aware and trained will keep you out of the headlines and ahead of your competition.