Tag Archives: high reliability organization

Quest for Reliable Cyber Security

As we still struggle to improve physical security in the brick and mortar world, we are also greatly challenged by security issues in the cyber world. The layers of cyber protections are melting away quickly (Figure 1) as evidenced by an exponential growth in cyber crime. We are all racing rapidly away from the shores of the brick and mortar world, chasing after irresistible and addictive internet-based technology.

The Cyber War Statistics and Projections

Figure 2 shows the Lloyd’s of London estimated worldwide cyber damages in U.S. dollars for 2013 (100 Billion) and 2015 (400 Billion). The Jupiter Research projection for 2019 is $2 trillion. Cybersecurity Ventures projects $6 trillion of damage for 2021. If these projections become reality, that represents a 60-fold increase in cyber damages for the eight-year period between 2013 and 2021.

An independent Ponemon Institute study sponsored by Hewlett Packard said that, in 2016, the average U.S. firm reported cybercrime damages of $17 million. The average cyber damages were much less in non-U.S. countries, but the growth in such crimes is also increasing exponentially. The U.S. National Small Business Association study said that, on average, small businesses that had their bank accounts hacked lost an average of $32,000.

See also: 10 Cyber Security Predictions for 2017  

The Cyber War Defender Sentiment

Various IT expert surveys tell us that the majority of defenders feel that we are losing this cyber war. Here are some key disturbing sentiments:

  • An iSense Solutions survey of 250 IT professionals was conducted for Bitdefender among companies that were breached. Those that suffered cyber breaches in the last year convey the disturbing news that 74% of those that were breached don’t know how the breach happened.
  • A survey by the Ponemon Institute revealed that it took between 98 and 197 days to detect the fact that a security breach has happened.
  • An AT&T (Cybersecurity Insights) report surveyed 5,000 companies worldwide that were launching Internet of Things (IoT) devices. Only 10% of IoT developers felt that they could secure those devices against hackers. It is estimated that 10 billion devices were connected to the internet in early 2016 and that the number will grow to 30 billion devices by 2020.
  • Another Ponemon Institute survey in 2016 consisting of 643 IT experts revealed that only one-third of the IT experts surveyed consider the cloud safe from cyber attacks.
  • Cyberventures estimates that $1 trillion will be spent on cyber security products and services between 2017 and 2021.
  • Cyber experts tell us that just meeting compliance is the beginning of cyber security and not the end.
  • The World Economic Forum (WEF) stated that a “significant” amount of cybercrime and espionage still goes undetected.
  • Hacker tools are cheap, fast and becoming easier to use, providing disturbing attacker advantages.

The Cyber War Executive Summary

Let’s summarize this gloomy situation. We are in an exponential growth period of cybercrime. Anywhere from 67% to 90% of experts surveyed can relate to these comments:

  • They distrust the cloud.
  • Most do not know how or when they were hacked, if they were hacked.
  • Most do not know how to fully protect the old and new flood of internet connected devices from future hacks.
  • Just meeting compliance is insufficient against hacks and cyber attacks.
  • When hacks are noticed, they are noticed three to six months-plus after the fact.

This raises the question of how IT and security professionals will spend their security budget if they have been so unsuccessful in the past and present. This is clearly a high-risk environment and getting worse.

See also: How to Stir Dialogue on Cyber Security  

Can Cyber Strategies Rescue Us?

Classic and logical-sounding cyber strategies have been and are being rendered useless by hackers and cyber-sharks. Figure 3 depicts the sad state of worldwide cyber security. Why are most cyber strategies not working? Maybe because they focus too much on the technical and do not engage all of the enterprise resources and its culture as an additional layer of defense.

Figure 4 reminds us of the words of MIT Professor Bill Aulet, derived from the original quote by the famous management consultant Peter Drucker: “Culture eats strategy for breakfast, operational excellence for lunch and everything else for dinner.”  If our cyber strategy does not harness and engage the enterprise culture as a partner in this cyber war, we should expect only limited successes.

Can Artificial Intelligence (AI) Rescue Us?

Some are touting AI and machine learning as the “last hope” for cyber security, but some experts are also quick to confess that not all AI strategies are effective and that the cyber protection industry is only at the beginning of this journey to apply AI to cyber security. This confidence in AI also assumes that the “bad guys” will not use AI to become better hackers.

Can High-Reliability Organizational (HRO) Techniques Rescue Us?

Decades ago, high-risk organizations like nuclear submarines, aircraft carriers and nuclear power plants developed a highly successful culture-based management system that was later designated as high-reliability organizations (HRO). HROs have achieved zero-incident safety records even though they are considered high-risk. Now that every organization is thrust into the high-risk cyber world, it’s time to consider the HRO playbook and assess our cultures against custom HRO cyber criteria. Airlines, railroads, power plants, hospitals and other organizations are starting to customize HRO principles to meet their stretch goals for employee, customer and patient safety.

See also: Paradigm Shift on Cyber Security  

Figure 5 shows one of the first basic enterprise system and cultural assessments required to lay the foundation for HRO cyber thinking across all layers of the organization. Such assessments will require anonymous inputs from all stakeholders and levels to ensure that all skeletons in the closet and the taboo talk rules that limit cyber successes are exposed.

The pursuit of becoming a high-reliability cyber organization is not for the faint of heart, and it is not a quick fix. It is a set of highly disciplined principles that affect the behaviors, attitudes, decision making and accountability for every level of the enterprise cascade as summarized in Figure 6. If any of the cyber security elements in the cascade has a weak link, cyber security will be at risk. The last line of defense against cyber attacks needs to be organizational and cultural and not just technical or centered on compliance.

As the world moves toward the shocking new reality of annual multitrillion-dollar cyber damages, organizations will need to combine technical and non-technical best practices for reliability to counter cyber threats. Unfortunately, it might take one or more big business failures or a major worldwide cyber calamity before more organizations start to see the value of a combined high-performance culture and technical strategy. Great successes of HRO organizations should teach us that a combined culture and technical strategy is the best way to defend ourselves in this expanding cyber world war.

The Five Keys to Building a ‘High-Reliability’ Organization

Think about the challenges that face those in charge of a nuclear aircraft carrier. It:

  • Is manned by a bunch of 20-year olds.
  • Has jets with engines that can suck a person into the intake if the person is too close.
  • Has planes whose exhaust can severely burn a man or blow him overboard.
  • Deploys jet fighters that reach 150 mph in 2 seconds during takeoff.
  • Executes landings that essentially are controlled crashes.
  • Must fuel aircraft with engines running.
  • Handles all manner of explosive materials.

Yet, for all the hazards, accidents on flight decks are surprisingly rare. Because so many things could go wrong but almost never do, experts consider an aircraft carrier a “high reliability organization.” The clarity about individual responsibility and about how to function as a team is astounding.

Many of us have been involved in projects where the stakes have been high and we have had to prepare to an exceptional level and pay attention to every detail. But think of what is needed to enable this level of performance every day!

I have to admit I have not seen the level of high reliability you find on the flight deck of an aircraft carrier in very many mid-market businesses. Let’s face it. For businesses, the stakes are not as high as they are on a flight deck. But the principle is there for us to apply – clarity and preparedness escalates the predictability of success. And I’ve seen the principle work for units in a business that had really embraced continuous improvement.

Look at your business organization. Think about this outline of preparedness for each business unit (BU):

  1. Prepare the description of the 3-5 most important functions of each BU (that contribute to key results for success).
  2. What is necessary for each function to be performed optimally?
  3. What should the measured results be for each results area (success criteria)?
  4. What processes should be used to assure timely, accurate, high-quality performance?
  5. How will customer satisfaction (internal & external) and targeted results be measured and achieved?

How high do the stakes have to get for us to shift into a higher mode of clarity and preparedness? As business leaders, we are the ones who get to make that decision.

If this is an area of leadership you would like to read more about, email me and I will send you my white paper on PERFORMANCE MANAGEMENT – Accountability Based Job Performance.