Warren Buffett famously remarked: “Risk is not knowing what you are doing.” Simple yet profound. Many a time I have fallen victim to an overinflated sense of my own abilities and suffered the consequences, sometimes to my own ego and sometimes to my pocketbook.
After studying and advising on corporate culture for the past 35+ years I have developed a twist on Warren’s sage quote. Mine goes like this:
Risk is also not knowing what your culture is doing.
We know by now that corporate culture matters and plays a significant part in business successes, failures and yes, risks. Compare the stellar performance record of Southwest Airlines to the hubris and fraud at Volkswagen or the fall of the once revered Wells Fargo bank. Corporate culture is either a performance enabler or a business risk.
And corporate culture has a huge role to play in cyber security.
Traffic Lights and Roundabouts
I learned to drive in the US where stop signs and later traffic lights were the norm. I failed my first driving test at 16 for not looking both ways at the intersection before proceeding through. Now when I drive it is an automatic reflex.
However, for the past 25 years I have lived in the UK, where roundabouts are the norm and traffic lights a more recent addition. My first encounter at a UK roundabout was as a tourist and it was a mess. Not only was I driving on a different side of the road in a rental car with the steering wheel on the other side, but I was totally ignorant of the “rules” related to roundabouts. Needless to say, I was not popular at that particular intersection but thankfully my passengers and I escaped unharmed, as did the other cars, who honked vigorously as if to acknowledge my stupidity.
Both traffic lights and roundabouts have rules and it is easy to understand how an accident could happen when a driver is ignorant of the rules and driving “etiquette”. But what happens when we know the rules? Is there a safety difference between traffic lights and roundabouts? And if so, why? And what the heck has all this got to do with cyber security?
Accountability for road safety
When one looks at data on traffic accident rates for roundabouts and traffic lights, and also stop signs, a startling difference occurs. Here are two sets of graphs that tell a very interesting story.
The facts are clear, roundabouts are much safer in terms of accidents, and particularly fatal accidents than either stop signs or traffic lights. And by studying human behavior, it becomes clear as to why.
Roundabouts work well because each driver takes personal accountability for their own safety and the safety of other cars as well. This shared accountability causes drivers to focus on their driving and the behavior of other drivers, pay attention in all directions and evaluate multiple possible scenarios for remaining safe. Also, the speed of cars in a roundabout is much slower than on the open road.
Driver behavior at stop signs is full of assumptions. If I stop, others will stop as well. Once I stop, it is okay to proceed. All other drivers understand the same rules about stop signs and have the same values of road safety as I have. A lot of assumptions! And they are often false. People run stop signs when in a hurry or when distracted and serious accidents occur.
Traffic lights on the other hand have proven to be extremely hazardous because people rely on the technology for their safety rather than taking personal accountability. Green means Go, Red means Stop and Yellow should mean caution. But when it comes to human behavior, being first, beating the light, zooming through a Yellow, being first off the line when the light turns Green are very real, and often dangerous human actions. And the statistics show this clearly. Relying on technology to keep us safe is not 100% failproof.
Accountability for Cyber Security
We are definitely losing the war on cyber security. It’s a technology arms race with the bad actors overcoming and one-upping our every attempt to build and deploy cyber safe technologies. In fact, there is close to a 100% probability that you, your family and your company will be hacked at some point. And the costs are huge. Last year global cybercrime was estimated at around $600 billion, and today it is well over $1 trillion. And each cyber breach costs the average business over $3 million in recovery costs, lost revenue, damage to customer loyalty, loss of employee trust in management, and numerous other costs.
And now we come to the analogy between cyber security and road intersections. Just like traffic lights, we cannot rely on technology to keep us cyber safe. We must take personal accountability. And in the corporate setting, that means building and sustaining a cyber safe culture where employees at all levels take personal accountability for keeping themselves and the company cyber safe.
Building accountability for cyber safety takes more than workshops and training classes. These are useful, but not sufficient. Accountability definitely has an educational component, but personal accountability cannot flourish in a culture of poor trust, blame, finding fault, bullying and negative peer pressure, lack of transparency and feedback, and poor leadership. PowerPoint decks, written values on the walls, and all hands meetings may talk about cyber awareness and accountability, but when the pressure is on for cost control, making the schedule deadline and being driven to accomplish impossible goals are the norm, remaining vigilant and personally accountable for cyber safety often takes a back seat. And the back seat is a dangerous place to pilot a speeding car, let alone a large organization facing a tsunami of cyber attacks.
The other barrier to being accountable for cyber security comes from the fact that we have very poor, if any, data or organizational models as to how culture and employee behavior impact cyber security. We have mountains of reports and terabytes of data about the technological aspects of cyber security, but almost none about the people side.
About CulturSys and Cyber Security Culture
To date, cyber security has mostly been reliant on technology and regulations (policies and compliance). They are definitely important, but as we are currently experiencing across the globe, not sufficient. We need a third leg to the cyber security stool — culture. And not just an amorphous culture, but a specifically designed cyber security culture.
CulturSys, Inc., whose founders have over 35+ years of experience in helping global organizations reshape culture to improve business performance, has been focusing its expertise on data analytics and management tools to help build and proactively manage cyber safe cultures. We see culture very differently than most. We understand that culture is actually a business system, or network, of key influencing factors inside the company that drive employee attitudes and behaviors. And we can now visually map these factors.
Using a combination of data analytics, systems modelling and behavioural science we have developed a software platform to visually map cyber security culture and identify, using internal company data, potential cultural risks to cyber security. In addition, we have developed an extensive library of cultural best practices to support business leaders in building a more robust cyber security culture.
Combining data analytics, technology and human behavior insights will go a long way in creating a more accountable culture that reduces cyber risks.
John R Childress. Chairman, CulturSys, Inc.