TechRepublic’s Dan Patterson met with contributor and former Obama Cybersecurity Adviser Greg Michaelidis to discuss why cybersecurity is a human problem, and how companies can better communicate about cybersecurity solutions. Below is a transcription of the interview.
Patterson: Cybersecurity is too often treated as a tack-on to other business objectives, and instead, it’s wise to think about cybersecurity and solutions for cybersecurity more like a disease, more like you would treat a healthcare problem. Tell me more about that, Greg.
Michaelidis: My admonition for 2018 is to not forget to go the last mile in cybersecurity. You’ll spend a lot of money and effort getting almost to the finish line, to use a sports metaphor, but then in order to really make sure that the policies and procedures in security are getting embedded—that’s when I think we really need to see information security as more of a public health crisis.
I have an article that I’m going to be publishing soon that I’m sharing for the first time here with TechRepublic viewers and readers that treating cybersecurity more like diabetes is actually the way we ought to be approaching this, where you have behaviors that you can train and make habitual and have repeated by your doctor or your caregiver or your teachers, and make those just very regular parts of your life. It’s really a behavioral issue more than a technological issue in a lot of ways.
Patterson: I love that metaphor because it is systemic and holistic.
You’ve written down a few questions that every business should address and leaders should ask their CISOs and CIOs. Can you run me through some of these questions that are essential for business to know about cyber?
Michaelidis: Essentially what I’ve found in my own discussions with communicators, CISOs, and top leaders on these issues is that your CIO or CISO, and your communicators, whether it’s internal or external communicators, and even your Human Resources, people really need to know one another.
The reason is that if you have policies and procedures that you want to have people follow, your internal communicators, your HR people, and your onboarding staff can help you get those embedded in actual behaviors. They know what’s on the minds of employees, they know how to work with them and answer their questions and help translate, so that’s a really key piece right there.
The other piece is to ask yourself honestly, what happens when your IT or your training people come in; how do employees respond? If you see them rolling their eyes because they have to go through another online training, that’s a pretty good indication that they are not necessarily buying in to what you are trying to implement in terms of security policies.
Take that at face value and think about ways to make it more meaningful for them, and even include them in the idea that they’re helping increase security across the organization, and that they’re not just being punished with another training that they have to take.
SEE: Research: Defenses, response plans, and greatest concerns about cybersecurity in an IoT and mobile world (Tech Pro Research)
Patterson: What are some examples, best practices, or ideas for communicating ideas and needs and really getting to know each other in this real human way? Often, leaders have more information than the ground troops, but how can we communicate not just the need but essential information up and down the chain quickly within the organization?
Michaelidis: Everybody who’s ever gone into a large organization who’s started a new job at either entry level, mid-level, senior level have gone through an onboarding process. They fill out forms and learn where the kitchen is and how to get office supplies.
That’s a really good time to transmit to people what the culture is, what the company, organization, or nonprofit sees as important, and why they treat information security as importantly as they ought to, and that employees should be apart of that as opposed to, “Here are the things that are going to get you in trouble.” I think that’s sometimes overlooked as a place where you can really make an impression on new employees that can help build that culture throughout an organization.
Patterson: It almost goes without saying, but this sounds like, treat people like people so they are free to share information internally that can really help the company, which goes back to some fundamentals of management and business in general.
As we look into 2018 and beyond, what challenges do you see, what problems or red flags do you encounter, and what are the best solutions that you’ve encountered in the marketplace?
Michaelidis: One of the problems when you start to talk with senior people in technology, IT, CISOs is that they assume, perhaps often incorrectly, that they are better communicators than they actually are, that their information, and their advice will be taken and understood.
Having worked as a communicator for some years now, I realize there’s often a real gulf between people working in a communications capacity and employees, and then your technology folks. I think a bit of humility in saying, “Hey, I’m good at what I do, but I may not be the best person to find a way to get that into the hands of our hundreds or thousands of eyes and ears out there who make up our workforce or our membership,” and find a way to be creative and humble about what you don’t know, and put it in the hands of professionals who can help them make a force for good.