What the US military can teach CEOs about building a cybersecurity haven

As organisations worldwide continue to fall victim to cyber security failures due to human error, a new report shows how CEOs can take a cue from US military leaders that consistently repel more than 30 million cyber attacks a year from their institutions.

‘A recent survey by Oxford University and the UK’s Centre for the Protection of the National Infrastructure found that concern for cybersecurity was significantly lower among managers inside the C-suite than among managers outside it. Such shortsightedness at the top is a serious problem,’ said David Upton, American Standard Companies Professor of Operations Management at Saïd Business School, University of Oxford. 

> See also: How retraining ex-military personnel could solve the UK's IT skills shortage

'The reality is that if CEOs don’t take cybersecurity threats seriously, their organisations won’t either. They must marshal their entire leadership team – technical and line management, and human resources – to make people, principles, and IT systems work together.’  

Upton and others identified six core principles at the heart of the US military's success in stopping and containing intrusions on its systems- and how CEOs and business laders can put them into practise.

Take charge!

CEOs should ask themselves and their leadership teams tough questions about whether they’re doing everything possible to build and sustain an HRO culture.

Meanwhile, boards of directors, in their oversight role, should ask whether management is adequately taking into account the human dimension of cyberdefense.

Make everyone accountable

All managers—from the CEO down—should be responsible for ensuring their reports follow cybersafety practices.

Managers should understand that they, along with the employees in question, will be held accountable. All members of the organisation ought to recognise they are responsible for things they can control.

Institute uniform standards and centrally managed training and certification

Merely e-mailing employees about new risks is not enough. Nor is an annual course on digital policies, with a short quiz after each module.

Cybersecurity training should be as robust as programmes to enforce ethics and safety practices, and companies should track attendance. After all, it takes only one untrained person to cause a breach.

Couple formality with forceful backup

Be clear about who is in charge of what, and what users are and are not allowed to do. Regularly reminding employees that their adherence to security rules is monitored will reinforce a culture of high reliability.

Check up on your defenses

CEOs should invest more in capabilities for testing operational IT practices and expand the role of the internal audit function to include cybersecurity technology, practices, and culture.

> See also: Master and commander: what CIOs can learn from military strategy

Scheduled audits should be complemented by random spot-checks to counter the shortcuts and compromises that creep into the workplace.

Eliminate fear of honesty and increase the consequences of dishonesty

Leaders must treat unintentional, occasional errors as opportunities to correct the processes that allowed them to occur. However, they should give no second chances to people who intentionally violate standards and procedures.

These core principles, says Upton, are what help military leaders create the culture that puts their organisation on cyber security lockdown. This approach eliminates human error and ensures everyone understands all aspects of the system, follows the proper operational procedures to the letter, and help forestall potential problems.

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Cyber Security