Years ago before I was in this business I got to know the chief training officer for the new Naval Aviators learning to fly multi-million dollar jets off of a billion dollar aircraft carrier. His job was to teach these young aviators how to conduct flight operations off of this dangerous platform with safety in mind. I asked him a simple question about safety. How do you do it?
His answer was just as simple. It is an attitude. You must have the attitude of safety in mind first. It must be how you conduct your daily affairs and be a part of your everyday mode of operation. This is not a single fire suppression system or some kind of special arresting gear. Or even safer jets that have more advanced avionics to avoid catastrophic crashes. It is the attitude of all of the personnel on that carrier.
What is the current attitude in the cyber user community and the standard management? It is that cybersecurity is important and that it is a problem. But I am not an engineer, so I am not going to be concerned with it. Or the attitude is someone else is taking care of that it is not my area of expertise.
But going back to that carrier example. If a crewmember sees something that has nothing to do with his job. Say he sees some equipment improperly stored. And then next time there is a mishap this mis-stored equipment will cause a fire. What should he do? Should he just say its not his problem and he knows nothing about this equipment. Of course not. He is going to tell someone.
It is exactly the same with cybersecurity. Sure, firewalls and antivirus software are important but they are just tools. Much more important is the cybersecurity attitude. When an employee sees that strange occurrence such as documents that are not filed safely or is getting strange phone calls. He should report it. Or at the very least ask about it. And this starts from the top and filters its way down. This attitude needs to be engrained in your culture so everyone in your company knows about it.
How you act as a leader and how you teach this in your culture will determine this attitude. Not just preaching about it but demonstrating it at every turn. I believe if executives nationwide did this one very important thing we could truly change the face of cybersecurity overnight.