A Cyber-Security Culture

Let’s close this holiday-shortened workweek with a post about cyber-security. Recently ARC Advisory Group’s Larry O’Brien posted on the topic of Safety Culture. In it, he makes the strong point:

However, an organization with a vigorous safety culture is always in a better position to avoid accidents and is better prepared when such an incident happens. Management needs to determine the degree of safety culture they wish to achieve, and chart and navigate a path to get there. Management responsibilities include not only rigorous safety planning, but also instilling a strong safety culture within their organization. Only, a person working within a strong safety culture feels more secure and is motivated to make the work place safer for everyone.

Emerson’s Bob Huba has been making similar points about the importance of the culture as it applies to process control cyber security. I added one of his presentations in a post, Like Plant Safety, Build a Culture of Security. His key message is that must be looked at holistically, much the way process manufacturing plants take a holistic view for safety.

I forwarded my RSS feed of Larry’s post to Bob Huba for his additional perspectives. Bob wrote back:

Organizational culture is also important in security. If you depend on enforcement from above or via IT control of the system to make you secure people will continue to do insecure things – bring in infected USB sticks and such. Unless you train and educate people to not do insecure things, you will never maintain a security program. Process control equipment is just too vulnerable, being out in the plant environment, to do security without the buy-in and understanding of the people who live and work out in the plant.

As a product manager on the DeltaV team, Bob looks at the technological aspects that can help process manufacturers with their security efforts.

Technology can help to some extent, but a proactive security culture is imperative, much as a safety culture is.

Posted Friday, May 29th, 2009 under Cybersecurity.

Leave a Reply