2015-08-18 10:32:29
James A. (Sandy) Winnefeld Jr.
August 13, 2015
No sooner had my coauthors and I put the finishing touches on our Harvard Business Review article that holds up the U.S. military approach to cyberdefense as a model than news stories disclosed that there had been a serious breach of the unclassified e-mail system used by employees of the U.S. Joint Chiefs of Staff in the Pentagon. But the incident actually heavily underscores our principal point.
Reportedly, the attackers used a spear-phishing e-mail to penetrate the system. The Department of Defense has found that the lion s share of successful cyberattacks are made possible by poor human performance. Indeed, a key element of our thesis is that most organizations place too little emphasis on changing behavior and too much on technical safeguards.
We suggest that companies should follow the U.S. military s example. It is strengthening its cybersecurity by applying the methods used by the U.S. Navy s nuclear-propulsion program, whose safety record is second to none. These include a robust program of training, reporting, and inspections, as well as six operational excellence principles. They are:
Integrity, a deeply internalized ideal that leads people, without exception, to eliminate sins of commission (deliberate departures from protocol) and own up immediately to mistakes.
Depth of knowledge, or a thorough understanding all aspects of a system, so people will more readily recognize when something is wrong and will handle any anomaly more effectively.
Procedural compliance, which entails requiring workers to know or know where to find proper operational procedures and to follow them to the letter. They re also expected to recognize when a situation has eclipsed existing written procedures and new ones are called for.
Forceful backup, which means, among other things, having two people, not just one, perform any action that poses a high risk to the system and empowering every member of the crew even the most junior person to stop a process when a problem arises.
A questioning attitude, which can be instilled by training people to listen to their internal alarm bells, search for the causes, and then take corrective action.
Formality in communication, which means communicating in a prescribed manner to minimize the possibility that instructions are given or received incorrectly at critical moments (e.g., by mandating that those giving orders or instructions state them clearly, and the recipients repeat them back verbatim). Formality also means establishing an atmosphere of appropriate gravity by eliminating the small talk and personal familiarity that can lead to inattention, faulty assumptions, skipped steps, or other errors.
The entire U.S. military is gradually embracing these methods as a central part of its efforts to bolster its cybersecurity. Despite this recent embarrassing attack, it has actually made good progress. With cyberattacks on the private sector a serious problem, business leaders must also turn their companies into high-reliability organizations. Technological safeguards, while vital, will not alone make a company safe.
James A. (Sandy) Winnefeld Jr. was the ninth vice chairman of the U.S. Joint Chiefs of Staff and an admiral in the U.S. Navy until August 2015, when he retired.