22 June 2012
The next attack on the U.S. may be launched from a personal computer or laptop. Although the attack itself would bear little resemblance to the attack on Pearl Harbor, the effects of a digital assault could be devastating. Within just a few minutes, air traffic control systems, power stations, hospitals and refineries would grind to a halt. Colossal gridlock would trap millions in dark, powerless cities. As water and food supplies become affected, civil unrest will follow. Defense Secretary Leon Panetta has stated that the effects of an all-out cyber assault on society would be catastrophic. The FBI's top cyber cop Shawn Henry said in a March interview that companies are taking heavy risks by operating vulnerable networks.
Former White House National Security adviser Richard Clarke once wrote, "[It] is the public, the civilian population of the United States and the privately owned corporations that own and run our key national systems that are likely to suffer in a cyber-war." Cofer Black, former director of the Central Intelligence Agency's Counterterrorist Center, recently warned in his keynote speech at the Black Hat Conference that cyber attacks are imminent and will escalate.
Just as no one could have predicted the attack on Pearl Harbor, one can only speculate when and where a cyber attack will take place. According to the 2012 Bloomberg Government study titled "The Price of Cybersecurity: Big Investments, Small Improvements," most organizations are likely unprepared for a cyber attack. The study suggests companies should spend nine times more on securing computer networks to prevent an attack. So how can organizations safeguard themselves from cyber assault? More specifically, what can learning leaders do?
1. Be prepared.
Since training is an organization's first line of defense and budgets are tight, learning leaders should plan for adoption. They need to assess the organization's current and desired states. Moreover, they need to understand the organization's best practices, unique challenges, distinct goals, culture and methodologies. This will establish a road map to measurable results.
2. Provide the right training.
Armed with the roadmap and the right tools to measure progress toward the desired end-state, learning leaders should implement a learning program that will provide their organization with the knowledge and skills to develop and implement a cyber- security strategy. Most training programs in the market miss the mark; they are either too broad or too technical. Look for training in information assurance and cyber security fundamentals; information assurance risk management; and business continuity and disaster recovery planning. These areas will give teams a common vocabulary and an understanding of concepts they can integrate into their requirements and procurement decisions and use to develop strategies and manage risks, not to mention to ensure the appropriate delivery of content is supported and validated. Apart from training courses, consider practice and process improvement, methodology and standards development and the establishment of centers of excellence.
Learning leaders should be prepared for what's next. Who has the luxury of time to wait for disaster to strike? Relying on technology solutions to restrict access hasn't prevented recent digital attacks, losses and breaches, but changing how people think and work will.
Exposed to ever greater risks of information losses, organizations need foundational security training at all levels to improve how they protect their information and networks. Coupling this training with processes and technologies that have considered the security of individual and organizational resources will help organizations design and support a more secure workplace.
[About the Author: Bill Damare is vice president of government markets for ESI International, a project management and contract management training company.]