Cyber Security and Apollo 13: “Houston, we’ve had a problem!”

“It’s like flying with a dead elephant on our back.” ~ James Lovell, Apollo 13

Astronauts are a highly select group of engineers, scientists and pilots, and also some of the most rigorously trained of all professionals. For months and months they run through scenario drills for every possible contingency. They are smart, proficient and motivated to solve any problem they encounter. And they should be since they are thousands of miles away from earth and need to rely on their sophisticated space capsule, their training, ground support and each other. It is safe to say they “want to be safe while completing the mission”.

The quote, “Houston, we’ve had a problem here” came from Astronaut John Swigert when the crew of Apollo 13 announced to Houston Ground Control the discovery of the explosion that crippled their spacecraft. Something in the complex system of ther Apollo Command Module went wrong and the three Apollo astronauts were in serious trouble. Astronauts rely on a sophisticated system of technology and machinery to keep them safe.

But astronauts are not the only ones who want to be safe. I believe that nearly every individual inside our organizations today wants to be “cyber safe”. Only a very small fraction of employees actively seek to create a negative cyber incident. And yet 80% of all cyber breaches involve employee actions and mistakes.

If we start from the assumption that “employees want to be cyber safe, but they often just don’t know how”, then we are dealing with an organizational system issue, not a behavior problem. And a good place to look for potential risks is the cyber security culture.

Culture As A Business System

A bad system will defeat a good person every time. – W. Edwards Deming

The traditionally accepted definition of culture tends to focus on habitual behaviours, shared beliefs and collective values among employees that result in either effective or ineffective behavior towards work, management, suppliers and customers. Employee behavior impacts business results. But a much more important question is: what in the organizational system influences employees to behave in certain ways, and how are employee behaviors sustained and reinforced? Answers to these questions can give business leaders significant insight into the causal factors creating a specific corporate culture and the potential business risks inherent in the current culture.

We believe habitual employee behaviors, attitudes and beliefs are an outcome of corporate culture, and not the culture itself. By defining culture as a business system it is possible to identify a network of organizational drivers that directly or indirectly influence and sustain employee behavior. In simple terms, the system influences employee behavior, which in turn drives business results.

If there is a concern about cyber security effectiveness, then corrective insights can be gained by understanding and mapping the numerous drivers that make up the cyber security culture.

Cyber Security Culture

What are the cultural factors inside the company that influence cyber security? Our research with clients show that there are a number of company processes, policies, management capabilities and social network elements that are linked together into the cyber security culture system. Some of these drivers are healthy and promote positive cyber awareness and behavior, while others foster poor or even risky employee behaviors towards cyber security.

Using systems mapping and a specific culture algorithm, we can build a visual map of a company’s cyber security culture using internal company data combined with expert assessments. Each culture driver can then be color coded based on whether it is an enabler or blocker of effective cyber security, thus giving the leadership team the ability to locate current and potential risks in the culture. With enough internal data on drivers and business performance it is even possible to link culture to business results.

Here is an example of a cyber security culture map from our work with the CISO and his management team of a large European-based International Retail Bank. As you can see, several culture drivers show up as orange or red, indicating they act as barriers to effective cyber security.

Culture Change Is Really a System Change

Change the system to change the outcomes.

Fortunately for the astronauts of Apollo 13, with the help of Houston Ground Control staff they were able to contain the damage and land safely back on earth. But for the safety of future manned space flights, it was critical for NASA scientists and engineers to discover what in the design and construction of the Apollo command module contributed to the explosion on the Apollo 13. It turned out that it was not just one faulty part, but a series of small errors and miscommunications to equipment manufactures several years before which when networked together as the Command Module oxygen tank system, resulted in the explosion.

Next time your organization reports a cyber security problem, look deeper to locate those factors in the cyber security culture system that may be the ultimate causal factors. A cyber failure is an excellent opportunity to discover the real causal factors.

For some time, I thought Apollo 13 was a failure. I was disappointed I didn’t get to land on the moon. But actually, it turned out to be the best thing that could have happened. – Jim Lovell

For a discussion on cyber security culture inside your organization and how to map culture drivers, contact:

John R Childress

jrchildress@cultursys.com

About johnrchildress

John Childress is a pioneer in the field of strategy execution, culture change, executive leadership and organization effectiveness, author of several books and numerous articles on leadership, an effective public speaker and workshop facilitator for Boards and senior executive teams. In 1978 John co-founded The Senn-Delaney Leadership Consulting Group, the first international consulting firm to focus exclusively on culture change, leadership development and senior team alignment. Between 1978 and 2000 he served as its President and CEO and guided the international expansion of the company. His work with senior leadership teams has included companies in crisis (GPU Nuclear – owner of the Three Mile Island Nuclear Plants following the accident), deregulated industries (natural gas pipelines, telecommunications and the breakup of The Bell Telephone Companies), mergers and acquisitions and classic business turnaround scenarios with global organizations from the Fortune 500 and FTSE 250 ranks. He has designed and conducted consulting engagements in the US, UK, Europe, Middle East, Africa, China and Asia. Currently John is an independent advisor to CEO’s, Boards, management teams and organisations on strategy execution, corporate culture, leadership team effectiveness, business performance and executive development. John was born in the Cascade Mountains of Oregon and eventually moved to Carmel Highlands, California during most of his business career. John is a Phi Beta Kappa scholar with a BA degree (Magna cum Laude) from the University of California, a Masters Degree from Harvard University and was a PhD candidate at the University of Hawaii before deciding on a career as a business entrepreneur in the mid-70s. In 1968-69 he attended the American University of Beirut and it was there that his interest in cultures, leadership and group dynamics began to take shape. John Childress resides in London and the south of France with his family and is an avid flyfisherman, with recent trips to Alaska, the Amazon River, Tierra del Fuego, and Kamchatka in the far east of Russia. He is a trustee for Young Virtuosi, a foundation to support talented young musicians. You can reach John at john@johnrchildress.com or john.childress@theprincipiagroup.com

View all posts by johnrchildress →