University of Oxford said US military can teach CEOs about cybersecurity

As organisations worldwide continue to fall victim to cyber-attacks made possible by the mistakes of their own network administrators and users, a new report shows how CEOs can take a cue from the US military and create high-reliability organisations (HROs) that consistently guard against cybercrime.

An article published in the Harvard Business Review, Cybersecurity’s Human Factor: Lessons from the Pentagon, by James A. Winnefeld Jr., Christopher Kirchhoff, and David Upton, identifies the six principles at the heart of the US military’s success in stopping attacks on its systems and quickly containing the few intrusions that occur. Crucially, the authors also indicate how the principles can be put into practice in other types of organisations.

The report says the vast majority of companies are more exposed to cyberattacks than they have to be. To close the gaps in their security, CEOs can take a cue from the U.S. military. Which was once a vulnerable IT colossus, it is becoming an adroit operator of well-defended networks. Today the military can detect and remedy intrusions within hours, if not minutes. From September 2014 to June 2015 alone, it repelled more than 30 million known malicious attacks at the boundaries of its networks. Of the small number that did get through, fewer than 0.1% compromised systems in any way. Given the sophistication of the military’s cyberadversaries, that record is a significant feat.

One key lesson to be drawn from the military’s experience is that while technical upgrades are important, minimising human error is even more crucial. Mistakes by network administrators and users—failures to patch vulnerabilities in legacy systems, misconfigured settings, violations of standard procedures—open the door to the overwhelming majority of successful attacks.

Most successful cyber-attacks are down to human error not inadequate technology – cyber-security is a leadership issue, a shortsighted view in the C-suite is a serious problem: CEOs need to take charge and create high-reliability organisations, although whether this is achievable in civvy street is questionable!

To do so, they should embrace the core principles practised by the US military that consistently minimise risk and successfully repel more than 30 million cyber-attacks a year. Perhaps this one aspect of corporate business needs to be implemented, whilst maintaining a more liberal hold on management can be maintained in the rest of the organisation allowing the “Out of the box” innovation to continue.  

A recent survey by Oxford University and the UK’s Centre for the Protection of the National Infrastructure found that concern for cybersecurity was significantly lower among managers inside the C-suite than among managers outside it.

The reality is that if CEOs don’t take cybersecurity threats seriously, their organisations won’t either …  They must marshal their entire leadership team—technical and line management, and human resources—to make people, principles, and IT systems work together.

The authors acknowledge that enforcing these principles into an organisation with a formal command structure such as the military either in the British Army or in the USA forces may be easier than in a looser, more democratic organisation. However, they have identified measures that leaders in any organisation can take to embed these principles in employees everyday routines.