Cyber Security, Traffic Lights and Roundabouts

Warren Buffett famously remarked: “Risk is not knowing what you are doing.” Simple yet profound. Many a time I have fallen victim to an overinflated sense of my own abilities and suffered the consequences, sometimes to my own ego and sometimes to my pocketbook.

After studying and advising on corporate culture for the past 35+ years I have developed a twist on Warren’s sage quote. Mine goes like this:

Risk is also not knowing what your culture is doing.

We know by now that corporate culture matters and plays a significant part in business successes, failures and yes, risks. Compare the stellar performance record of Southwest Airlines to the hubris and fraud at Volkswagen or the fall of the once revered Wells Fargo bank. Corporate culture is either a performance enabler or a business risk.

And corporate culture has a huge role to play in cyber security.

Traffic Lights and Roundabouts

I learned to drive in the US where stop signs and later traffic lights were the norm. I failed my first driving test at 16 for not looking both ways at the intersection before proceeding through. Now when I drive it is an automatic reflex.

However, for the past 25 years I have lived in the UK, where roundabouts are the norm and traffic lights a more recent addition. My first encounter at a UK roundabout was as a tourist and it was a mess. Not only was I driving on a different side of the road in a rental car with the steering wheel on the other side, but I was totally ignorant of the “rules” related to roundabouts. Needless to say, I was not popular at that particular intersection but thankfully my passengers and I escaped unharmed, as did the other cars, who honked vigorously as if to acknowledge my stupidity.

Both traffic lights and roundabouts have rules and it is easy to understand how an accident could happen when a driver is ignorant of the rules and driving “etiquette”. But what happens when we know the rules? Is there a safety difference between traffic lights and roundabouts? And if so, why? And what the heck has all this got to do with cyber security?

Accountability for road safety

When one looks at data on traffic accident rates for roundabouts and traffic lights, and also stop signs, a startling difference occurs. Here are two sets of graphs that tell a very interesting story.

The facts are clear, roundabouts are much safer in terms of accidents, and particularly fatal accidents than either stop signs or traffic lights. And by studying human behavior, it becomes clear as to why.

Roundabouts work well because each driver takes personal accountability for their own safety and the safety of other cars as well. This shared accountability causes drivers to focus on their driving and the behavior of other drivers, pay attention in all directions and evaluate multiple possible scenarios for remaining safe. Also, the speed of cars in a roundabout is much slower than on the open road.

Driver behavior at stop signs is full of assumptions. If I stop, others will stop as well. Once I stop, it is okay to proceed. All other drivers understand the same rules about stop signs and have the same values of road safety as I have. A lot of assumptions! And they are often false. People run stop signs when in a hurry or when distracted and serious accidents occur.

Traffic lights on the other hand have proven to be extremely hazardous because people rely on the technology for their safety rather than taking personal accountability. Green means Go, Red means Stop and Yellow should mean caution. But when it comes to human behavior, being first, beating the light, zooming through a Yellow, being first off the line when the light turns Green are very real, and often dangerous human actions. And the statistics show this clearly. Relying on technology to keep us safe is not 100% failproof.

Accountability for Cyber Security

We are definitely losing the war on cyber security. It’s a technology arms race with the bad actors overcoming and one-upping our every attempt to build and deploy cyber safe technologies. In fact, there is close to a 100% probability that you, your family and your company will be hacked at some point. And the costs are huge. Last year global cybercrime was estimated at around $600 billion, and today it is well over $1 trillion. And each cyber breach costs the average business over $3 million in recovery costs, lost revenue, damage to customer loyalty, loss of employee trust in management, and numerous other costs.

And now we come to the analogy between cyber security and road intersections. Just like traffic lights, we cannot rely on technology to keep us cyber safe. We must take personal accountability. And in the corporate setting, that means building and sustaining a cyber safe culture where employees at all levels take personal accountability for keeping themselves and the company cyber safe.

Building accountability for cyber safety takes more than workshops and training classes. These are useful, but not sufficient. Accountability definitely has an educational component, but personal accountability cannot flourish in a culture of poor trust, blame, finding fault, bullying and negative peer pressure, lack of transparency and feedback, and poor leadership. PowerPoint decks, written values on the walls, and all hands meetings may talk about cyber awareness and accountability, but when the pressure is on for cost control, making the schedule deadline and being driven to accomplish impossible goals are the norm, remaining vigilant and personally accountable for cyber safety often takes a back seat. And the back seat is a dangerous place to pilot a speeding car, let alone a large organization facing a tsunami of cyber attacks.

The other barrier to being accountable for cyber security comes from the fact that we have very poor, if any, data or organizational models as to how culture and employee behavior impact cyber security. We have mountains of reports and terabytes of data about the technological aspects of cyber security, but almost none about the people side.

About CulturSys and Cyber Security Culture

To date, cyber security has mostly been reliant on technology and regulations (policies and compliance). They are definitely important, but as we are currently experiencing across the globe, not sufficient. We need a third leg to the cyber security stool — culture. And not just an amorphous culture, but a specifically designed cyber security culture.

CulturSys, Inc., whose founders have over 35+ years of experience in helping global organizations reshape culture to improve business performance, has been focusing its expertise on data analytics and management tools to help build and proactively manage cyber safe cultures. We see culture very differently than most. We understand that culture is actually a business system, or network, of key influencing factors inside the company that drive employee attitudes and behaviors. And we can now visually map these factors.

Using a combination of data analytics, systems modelling and behavioural science we have developed a software platform to visually map cyber security culture and identify, using internal company data, potential cultural risks to cyber security. In addition, we have developed an extensive library of cultural best practices to support business leaders in building a more robust cyber security culture.

Combining data analytics, technology and human behavior insights will go a long way in creating a more accountable culture that reduces cyber risks.

John R Childress. Chairman, CulturSys, Inc.

About johnrchildress

John Childress is a pioneer in the field of strategy execution, culture change, executive leadership and organization effectiveness, author of several books and numerous articles on leadership, an effective public speaker and workshop facilitator for Boards and senior executive teams. In 1978 John co-founded The Senn-Delaney Leadership Consulting Group, the first international consulting firm to focus exclusively on culture change, leadership development and senior team alignment. Between 1978 and 2000 he served as its President and CEO and guided the international expansion of the company. His work with senior leadership teams has included companies in crisis (GPU Nuclear – owner of the Three Mile Island Nuclear Plants following the accident), deregulated industries (natural gas pipelines, telecommunications and the breakup of The Bell Telephone Companies), mergers and acquisitions and classic business turnaround scenarios with global organizations from the Fortune 500 and FTSE 250 ranks. He has designed and conducted consulting engagements in the US, UK, Europe, Middle East, Africa, China and Asia. Currently John is an independent advisor to CEO’s, Boards, management teams and organisations on strategy execution, corporate culture, leadership team effectiveness, business performance and executive development. John was born in the Cascade Mountains of Oregon and eventually moved to Carmel Highlands, California during most of his business career. John is a Phi Beta Kappa scholar with a BA degree (Magna cum Laude) from the University of California, a Masters Degree from Harvard University and was a PhD candidate at the University of Hawaii before deciding on a career as a business entrepreneur in the mid-70s. In 1968-69 he attended the American University of Beirut and it was there that his interest in cultures, leadership and group dynamics began to take shape. John Childress resides in London and the south of France with his family and is an avid flyfisherman, with recent trips to Alaska, the Amazon River, Tierra del Fuego, and Kamchatka in the far east of Russia. He is a trustee for Young Virtuosi, a foundation to support talented young musicians. You can reach John at john@johnrchildress.com or john.childress@theprincipiagroup.com
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s