Developing a culture of security

Jeff Gilley,
AVP, North Highland

The move towards digital transformation in Energy and Chemicals that is driving convergence between information technology and operations technology may create serious concerns for those in the cyber security arena. Protection of information is critical to management of reputational and commercial risk, but protection of operational assets is critical to the safety of the facilities in which employees and contractors work. Given this exposure, there will likely be considerable attention placed on building multiple layers of protection from a technological standpoint towards preventing unwanted intrusions into the converged IT/ OT system landscape. These technological protections are amalgam to the process safety components that are designed and engineered into facilities in the Energy and Chemicals sector. However, most firms in this sector look beyond process safety towards building a culture of safety into their organizations, and the same should go for firms that are looking to establish better cyber security controls in the transformed digital organization.

Adopting a holistic cyber security framework can empower organizations to stay one step ahead of this dynamic threat to protection of information:

1. Identify and Manage Risks: Develop an overall organizational understanding to manage cyber security risk to systems, assets, data, and capabilities, this may include a look at your overall maturity level with regards to cyber security.

2. Protect and Educate: Take proactive measures to ensure current systems, processes, and people are secure; to educate individuals (employees, users) on aspects of cyber security through awareness programs.

3. Detect and Collaborate: Evaluate threat landscape and occurrence of cyber security events continuously; collaborate with external and internal parties to improve state of cyber security.

4. Respond and Recover: Take planned mitigation actions in the event of a security incident and restore impaired systems/applications.

For this program to execute effectively, explicit focus on building a culture of security is critical. This is especially true given information security for large global organizations is a dynamic environment, where high stakes keep getting higher, and complexity keeps increasing. Large, distributed, and continually changing business environment and organization, including a global and diverse workforce (cultures, roles, work, and technology sophistication) and a high likelihood of change fatigue are all contributing factors. Additionally, there are evolving, multiplying and adapting cyber threats which are merging, evolving, proliferating. While employees are both the greatest weakness and the best asset in information security, significant workforce reduction may cause openings to breaches (e.g., loss of timely knowledge) and emotional disconnection with the impact of a corporate breach undermines security objectives. “Cyber security may be fought with technology, but it is people who triumph. We must invest in the future generations of professionals who will carry on the fight.” (Matthew Rosenquist, Cyber Security Strategist and Evangelist, Intel Corp).

Most cyber security programs look to both patterns and events to develop and deploy interventions. Events represent what happened and identify what needs to be done to fix it, while Patterns represent continued Events and identify what needs to change in order to fix it. To facilitate rapid, sustainable and self-generating culture change, information security programs must look beyond patterns and events.

Specifically, focus must be placed on:

• Systemic Structures: This is why the patterns are happening – Let’s change the structure so the patterns can’t happen again, and that the patterns we want, take place quickly and easily

• Mindsets: This is how people need to think to create and support the systemic structures – Let’s align our mindsets to support our vision and ensure the new structures are sustainable.

By focusing on Systemic Structures and Mindsets, the complexity that comes with cyber security can be fully addressed. Driving towards establishing a Cyber Security Mindset that focuses on Systemic Structures facilitates customization (and increased buy-in) by the workforce, whichenables better response to an ever-changing threat. By doing this, an organization can realize the following benefits:

Adaptiveness, Early Threat Detection, and Swift Threat Mitigation

• Increased organizational and employee ability to quickly adapt (all levels, across the org.)

• Increased employee ability to anticipate and mitigate threats (all levels, across the org.)

• Increased employee ability to make the right judgment calls in dynamic situations

Rapidly Developing a Sustainable Culture of Cyber Security

• Fast behavior adoption (Culture of Cyber Security)

• Increased sustainability of desired behaviors (Self-monitoring, self-correcting)

• Reduced demand on employees (Easier adoption, reduced change fatigue)

Return on Investment (ROI)

• Significantly reduced cost to move to a Culture of Cyber Security compared to traditional top-down approaches

• Enhanced impact generated by the existing and in-development outreach components (videos, poster campaigns, communications, training programs, etc.)

• High momentum and synergy driven between the various cyber security components

Key to implementation is the ability to build a campaign around cyber security awareness and enable it to be customized for each audience. This requires three levels of work:

1. Translate main campaign and mindsets into what relates to the audience

2. Articulate and embed stakeholders’ shared purpose in regards to information security

Worshipping at the Tomb of Connectivity?

3. Addresses specific behaviors So, how can an Energy and Chemical company take these concepts and build a campaign to develop and build cyber security awareness in the context of digital transformation? Generally, an effective campaign will call upon expertise in organizational behavior, cyber security threats, change management, communication management, and marketing. Below represents a few steps to get started:

• Assess: Rapid environmental scan coupled with key stakeholder interviews to identify current state of awareness, the needed “what’s in it for me” messaging, and associated change and training needs across enterprise

• Develop and Deploy: Supplemental content, KPIs, key messages, and overarching approach supporting change and awareness in alignment with Adkar model and with a UX lens

• Enhance: delivery tactical, and long-term strategic plans, as well as learning and engagement content and vehicles, via agile Continuous Improvement

• Build: the capabilities, behaviors and maturity required within the workforce to maintain a culture of cyber awareness and security via ongoing engagement and training

• Embed: desired capabilities and behaviors, transferring knowledge and approach to enterprise via internal org partnerships, skill-building, re-usable training modules, and other critical documentation to ensure business and cultural continuity

By focusing on enhancing awareness of cyber security threats and responses, organizations in the Energy and Chemicals sector can help build culture around protecting critical technology on both the information technology and operational technology side. Digital transformation requires visibility and engagement between both.