For those you that have been reading some of my recent posts, you know that I have concerns around the security of the Internet of Things. I ran across this article http://www.hydrocarbonprocessing.com/Article/3384714/Channel/194955/Treat-security-like-safety.html at Hydro Carbon Processing http://www.hydrocarbonprocessing.com/Default.aspx. This article compares cyber security to the way we in chemical industry treat safety.
This I thought was a very good way of looking at and potentially resolving the problem. In the chemical industry there is an intense focus on safety for all parties involved. In a number of companies that I work with a “Safety Moment” (a tail about safety) is required at the start of every meeting and event. As a result you get used to looking for safety problems and are continually aware of those actions that could place you, your colleagues, the environment, or the company, in harms way.
What would be the impact if Cyber Security Moments were also included at the start of meetings?
My current organization has had everyone in the company take a mandatory set of course (with a test at the end) as part of our development training. But I wonder, without continually emphasizing security (as chemical companies do with safety), how front of mind is the topic. From the article:
“Technology will not fix a problem unless the right processes and best practices are in place. Technology will help enable people to make the right decision. But the security culture has to be on a par with the safety culture in order to protect against a cyber attack. Even with multiple technology protective layers, users need to enforce a strong security culture that reaches every level—and it has to start at the top.”
This I totally agree with. Technology can only go so far. The “Intelligent Idiot” will always find a way around your security, and with the best of intentions. Maybe to get that report faster, that update quicker, all for the betterment of the business. everyone needs to watching, just as we do with safety. And unfortunately someone else will find this hole. Can we get to the point that we include security in our processes just as we do with safety. That is built in security in the first place and not as an after thought.
One further thought, if you discover what you think is a security hole in the process or in the network, do you know to whom and how to report it? And do you?