Gary Hibberd, professor of communicating cyber for Cyberfort and former head of business continuity and information security at various companies, teaches the importance of building resilience in your organization not just with technology but also with people and processes.
Tim Erlin: Welcome to the Tripwire Cybersecurity Podcast. I'm Tim Erlin, vice president of product management and strategy at Tripwire. Today, I am joined by Gary Hibberd, who is the professor of communicating cyber for CyberFort. Gary comes to us with 30 years of cybersecurity experience. He was formerly the head of business continuity and information security at various companies. Gary has a lot of experience to contribute to this conversation. Welcome, Gary.
Gary Hibberd: Thank you very much for having me.
Removing Silos Increases Resilience
TE: Today, the topic that we've chosen to talk about is an interesting one to me. In information security and cybersecurity, we spend a lot of time talking about technical resilience and controls. We tend to be a very technology-focused industry group as a whole. An underrepresented cybersecurity topic is organizational resilience. How would you define organizational resilience?
GH: Organizational resilience can be thought of as the ability of an organization to anticipate, prepare, respond, and adapt to everything from minor, everyday events to sudden, acute shocks or chronic changes in the environment.
TE: That makes sense. When we look at cybersecurity and the technology focus that we have, what is it that we're missing as a group that belongs in that category of organizational resilience? What is missing in that conversation when you hear people talk about this topic?
GH: The thing that we're missing is the collaborative approach to ensuring that an organization is able to anticipate risk. Preparation is usually the business continuity and the response side of it. But it's that adaptive side of things that I think we miss. The ability to remove silos is the key. We're missing the opportunity to work with other areas of the business. Collaboration will make us more resilient to the ever-changing landscape in which we live.
TE: Is that silo problem unique to cybersecurity, or does it exist across the organization? The reason I ask that is because if it’s the case where other groups in the organization are practicing organizational resilience but cybersecurity is not, then that would be a different scenario versus a larger organizational problem.
GH: When I speak to business continuity people, it's happening less now. We are starting to see a change, and more and more people are talking about true organizational resilience. But we are still in a world where I talk to business continuity practitioners, and they are almost fearful of cybersecurity. They don't want to talk to the cyber security team. Equally, when I talk to cybersecurity practitioners, they are fearful of talking to risk management or to the compliance team because the cybersecurity team is there to implement technical security controls. Historically, perhaps they've run into problems when they have worked with compliance, who have said you can't do certain things. So people still are operating in silos, but it's not just from the cybersecurity team. It is from other areas of the business, as well.
Shared Goals and Concerns
TE: It makes me think about a lot of conversations about how cybersecurity can do a better job of connecting to the business, how CISOs need to understand and be able to communicate about the business. But it seems like this connection to business continuity is still a tenuous one at best. It's still a challenge for some cybersecurity teams to adopt the mindset of understanding that the job is not to make everything secure but to allow the business to run effectively in an environment where there are very real threats.
GH: Yeah, I absolutely agree. The metaphor I always use is that many cybersecurity teams are a little bit like the engineers who design cars. They create beautiful machines to go out of the factories, but while their primary concern is about the vehicle, they may not be as concerned about what happens once that vehicle is out on the road. And the people who are driving that vehicle, how are they driving responsibly? I think that we need to be more engaged with this, understanding that we have a responsibility beyond the creation of that vehicle. Likewise, the business needs to understand the other side, as well—that is, appreciate that they can't do the business without having a safe vehicle.
The business is made up of functions, and those functions are made up of people. For me, when I'm teaching and training consultants to go out to the business as well as to engage with businesses, I'm emphasizing the importance of doing it on a very human level. To go into an organization and just declare that we are going to make them more secure just isn't really helpful. We need to find out the objectives and the goals. What we need to do is understand the individual drivers for finance as compared to Human Resources as compared to the marketing team and every other area. Then, if we can start to get down to that level, we can then start to be able to really influence a change. That can reduce those silos.
TE: Yeah. It's easy to describe that, but it really is a skill set to be able to do that kind of activity and undertake that kind of activity inside of an organization. In the more technical disciplines, we certainly don't recruit for and hire that kind of a skillset.
GH: I would agree. The soft skills, the people skills, are the ones that are a little harder to measure and to be able to engender in people. But they're the kind of skills that I think are really important for us. It is possible, but it does take time. It takes relationship building to break down barriers, misapprehensions and past experiences.
TE: If you're someone who's more technically minded, who's used to implementing tools, that time spent on building relationships often seems like a waste because you're not accomplishing anything tangible. In fact, it's critical to breaking down silos and accomplishing the kind of the foundational relationships that are necessary to build organizational resilience.
GH: I agree. If you focus on the people, you've trained people and you get people to understand the importance of security, then hopefully these tools aren't going to be necessary. I used to say to people many years ago, "I'm writing documents that I hope will never, ever be used." That's the whole purpose of business continuity. But, in the last 10 years, I would suggest that if business continuity plans are written and structured well enough, they should be able to be used to prepare people and organizations to be more adaptive.
TE: I think it's interesting to think about how the rise of ransomware impacts that relationship between business continuity and information security because it's a kind of attack that can only really be successful for the attacker. It has to announce itself in order to ask for ransom, in order for that attacker to get paid. That's opposed to attacks that are focused on stealing data, or other types of information, by staying stealthy. Since ransomware reveals its presence, it drives a very different type of response. And because it cripples systems, it has to bring business continuity and information security closer together. Have you seen that trend?
GH: You're absolutely right. Over the last four or five years, we've got better at this. I am seeing more business continuity practitioners coming to cybersecurity events to learn about the different threats that are out there and attack vectors. I think they are looking at these things much more closely than they previously did because they understand that all the teams must work much more closely together. But it's a bit of a surprise that it is only just starting to happen. The gaps are starting to close between business continuity and cybersecurity.
People First Mindset
TE: Let's shift away from what the problems are and talk a little bit about how companies have changed or should change. Have organizations become more or less resilient through dealing with COVID? What's your perspective on that?
GH: In some of the organizations, there is an element of feeling that they are untouchable. That false sense of security could leave a company at risk. One of the things the organizations need to do on a very micro level and a macro level is just recognize that the pandemic has changed the way that businesses are functioning. Again, back to that organizational resilience side of it, being able to be adaptive is going to be core to future business survival.
The question we can consider is, "Are we more resilient now than we were 18 months ago?" I think he's just that the landscape has shifted because this has been a very “human” crisis that we've been through. It's also affected billions of people in terms of the way that they now see the world. It has certainly shifted the sands quite considerably more to get organizations to see people differently.
TE: Yes. Your point that it's been a very human crisis for businesses is a really interesting one because we often think about business continuity and information security in technical terms, in business terms and not so often in human terms. It brings home that point that, ultimately, these businesses are made up of people. In order for that business to be resilient, you have to deal with the human resilience, as well. That's a core component.
GH: The pandemic has force the C-suite to start to reassess how they deal with their people on a very individual level. Many years ago, I was involved in business continuity for a large call center that employed thousands of people. I recall having a conversation with a senior member of the board, and when I asked what the recovery process was, their response was, “Well, we will get buses, and we will transport people to our disaster recovery sites, and the systems can be up and running within X amount of time, and therefore, they'll be functional within X amount of time."
I forced them down a route of thinking about the people, and I said, "But these people are impacted by the same kind of disaster that we're likely to be impacted by. Are you expecting them to come to work two hours earlier? Because they're going to get on a bus that's going to take them two hours up the road. Then, they've got to become operational. Then, they've got to get back home to pick up the little Stephanie or Steven from school." I got them to think through the crisis in a very human way and thinking about the impact on the people rather than just on the business impact. COVID 19 has created the same mind-shift in a lot of people where they had to start thinking about the impact upon their people
TE: I would suggest that the companies that have shifted their mindset are the ones who, post- pandemic, are likely to be more successful. There are definitely companies where people are going to be looking to make a move and leave that organization because they experienced how they're treated in that scenario. It drives a dynamic job market, even in cybersecurity
GH: I completely agree. That's the area where, as you said, organizations who have thought about their people, communicated well with their teams and kept them abreast of what's going on are the ones that are going to survive and thrive beyond this. Of course, there are other organizations, large organizations, who will continue, but I think they'll start to see an exiting process.
Actionable Steps Toward Resilience
TE: What do you have in mind as the top actions that organizations can undertake in order to improve organizational resilience, as we've talked about?
GH: We talked about removing silos, but how do you do that? I would urge anyone out there right now, whether you are in risk, compliance, information security, or any of those supporting services, to come together create a working group. Recognize that we are stronger together. That working group can sit down and start to look at their organization in a very humanistic way and do some force-field analysis. Look at each of the functions, look at the people within those functions and and ask yourself on a scale of one to 10, "Who are our supporters? Who are our cheerleaders? Who are our detractors, the people who we've got to convince to participate?" That's a paper-based desktop exercise that any organization can do.
It doesn't matter if it's two, four, or 10 people who are needed to create that working group. Start to have a coordinated approach to your organization.
The next is, if you're working for an organization that has a marketing function, then learn the language of your organization including your finance, HR, and operations teams. Also, understand how you have communicated in those areas in the past. Sit down with your marketing team to come up with an internal public relations campaign because that's ultimately what you are doing. You are trying to sell a message. You are trying to sell a vision of the future. And you can only do that by understanding the goals and objectives of the entire organization.
Think about how we sell anything in this world. Do we sit down and watch boring ads and films, read boring books and listen to boring music? No, and yet we still have boring policies and boring approaches to our implementation of cybersecurity and risk. So let's look at this differently and learn to be marketers. Let's sell what we're doing, because what we are doing is extremely important. Make time to build connections, build your reputation within those areas, and be seen as a department or a function that is going to help solve problems. If you could do all of those things, you're going to build a more resilient team and also help the organization to become more resilient, too.
TE: That's great advice. Thank you so much, Gary. And thank you so much for spending the time with us. We really appreciate it.
GH: Thank you for having me.