Paul Ferrillo | April 29th, 2016
Changing the Culture of Cybersecurity

Within each individual lives one core principle: if we don’t like what is going on in our business, job, or life, we are the only one™’s capable of changing it. No one else. It™’s what™’s inside of us and our desire to effect change that matters.Â
Apparently, others feel that way about cybersecurity. This week alone there were several articles exhorting that,“its time to change the culture of cybersecurity.†One article noted the retired Maj. Gen. Earl Matthews, now the vice president of enterprise security solutions with Hewlett Packard Enterprise™’s U.S. public sector group, at a FireEye event, “It™’s about culture.†Every organization has a different approach to cybersecurity, he said, and a cyber-savvy culture “starts with leadership and how that leadership is being used from the top down.â€
You are not alone if you think cybersecurity is broken. You are not alone if you think something needs to change dramatically before we get overrun by today™’s asymmetrical cyberwarfare trends. Many experts think the same way. Unfortunately, these same experts have scores of solutions about how to change things and multiple platforms to sell you to effectuate those changes. Most come without messaging or pre-packaging. Â
Let us propose two mind-blowing solutions to today™’s cybersecurity cultural dilemma. They are both shocking concepts or “next gen†as many cyber consultants say. Hold on to your seats:
- Make cybersecurity a business priority: Good cybersecurity does not start from the top-down. Nor the bottom up. Its permeates every layer of company culture. It exudes from the company™’s pores:“Nope, they are not going to get us today. Not on my watch.†It breeds confidence. It breeds competence. Executives need to take responsibility for cybersecurity and set the course. They need to regularly and proactively, in plain English, exchange security information, performance, and trends so that good business judgments can be made about how best to protect the company’s network. Cybersecurity is not just an IT problem. It’s everyone™’s problem.Â
Employees need to live and breathe a culture of responsibility too. For example, not “clicking on the link†can save their company™’s tons of grief. Authenticating wire and funds transfers based upon a single email can hopefully prevent sophisticated business email compromise scams. Employee managers and supervisors needs to sing from the same hymnal. Clicking on an unknown link or attachment is never good. Period. Little gains like we mention here can mean big overall gains down the road.
- Protect the Most Which Matters the Most: A good friend, Kevin Mandia, taught me this little saying. It is however probably the most under-valued idea in cybersecurity. Once an organization has identified, categorized, and valued its digital assets, it needs to determine which of these assets are most valuable. Is it the plans to a new sports car, a new aircraft carrier, or a new fighter jet? Is it proprietary business or investment information? It really doesn’t matter what it is so long as the company “identifies†it as sacred. And then protects it like a mother tiger does her cub. Put most sensitive data in a private cloud. Encrypt the data while it’s there for good measure. Segment it from the rest of your network. Micro-virtualize a firewall around it so no bad ‘east-west traffic’ can attack it.
We can recommend many other steps to create an adaptive defense. But we won’t. You get the point. Protect your most valuable assets within an inch of your life. You won’t regret it.Â
In truth, these suggestions probably do not qualify as “next-gen.†But, in fact, maybe they do, or at the least, maybe these suggestions need to be re-examined today. Something is not right today with the culture of cybersecurity. It needs to change. Whether we want it to change or not, is entirely up to us.
Paul Ferrillo | April 29th, 2016
Changing the Culture of Cybersecurity

Within each individual lives one core principle: if we don’t like what is going on in our business, job, or life, we are the only one™’s capable of changing it. No one else. It™’s what™’s inside of us and our desire to effect change that matters.Â
Apparently, others feel that way about cybersecurity. This week alone there were several articles exhorting that,“its time to change the culture of cybersecurity.†One article noted the retired Maj. Gen. Earl Matthews, now the vice president of enterprise security solutions with Hewlett Packard Enterprise™’s U.S. public sector group, at a FireEye event, “It™’s about culture.†Every organization has a different approach to cybersecurity, he said, and a cyber-savvy culture “starts with leadership and how that leadership is being used from the top down.â€
You are not alone if you think cybersecurity is broken. You are not alone if you think something needs to change dramatically before we get overrun by today™’s asymmetrical cyberwarfare trends. Many experts think the same way. Unfortunately, these same experts have scores of solutions about how to change things and multiple platforms to sell you to effectuate those changes. Most come without messaging or pre-packaging. Â
Let us propose two mind-blowing solutions to today™’s cybersecurity cultural dilemma. They are both shocking concepts or “next gen†as many cyber consultants say. Hold on to your seats:
- Make cybersecurity a business priority: Good cybersecurity does not start from the top-down. Nor the bottom up. Its permeates every layer of company culture. It exudes from the company™’s pores:“Nope, they are not going to get us today. Not on my watch.†It breeds confidence. It breeds competence. Executives need to take responsibility for cybersecurity and set the course. They need to regularly and proactively, in plain English, exchange security information, performance, and trends so that good business judgments can be made about how best to protect the company’s network. Cybersecurity is not just an IT problem. It’s everyone™’s problem.Â
Employees need to live and breathe a culture of responsibility too. For example, not “clicking on the link†can save their company™’s tons of grief. Authenticating wire and funds transfers based upon a single email can hopefully prevent sophisticated business email compromise scams. Employee managers and supervisors needs to sing from the same hymnal. Clicking on an unknown link or attachment is never good. Period. Little gains like we mention here can mean big overall gains down the road.
- Protect the Most Which Matters the Most: A good friend, Kevin Mandia, taught me this little saying. It is however probably the most under-valued idea in cybersecurity. Once an organization has identified, categorized, and valued its digital assets, it needs to determine which of these assets are most valuable. Is it the plans to a new sports car, a new aircraft carrier, or a new fighter jet? Is it proprietary business or investment information? It really doesn’t matter what it is so long as the company “identifies†it as sacred. And then protects it like a mother tiger does her cub. Put most sensitive data in a private cloud. Encrypt the data while it’s there for good measure. Segment it from the rest of your network. Micro-virtualize a firewall around it so no bad ‘east-west traffic’ can attack it.
We can recommend many other steps to create an adaptive defense. But we won’t. You get the point. Protect your most valuable assets within an inch of your life. You won’t regret it.Â
In truth, these suggestions probably do not qualify as “next-gen.†But, in fact, maybe they do, or at the least, maybe these suggestions need to be re-examined today. Something is not right today with the culture of cybersecurity. It needs to change. Whether we want it to change or not, is entirely up to us.
- Brand
- Apology Mania Sweeps the Nation
- Risk Management in a Cancel Culture
- Amazing Grace
- Meet Nancy Pelosi
- Delta Airlines and the Georgia Voting Controversy
- Richard Levick on Volkswagen’s April Fool’s
- The Final Episode of M*A*S*H
- Should Companies Consider Appointing Chief Paranoia Officers to Combat Disinformation?
- Can Capitalism Really Be “For Humanity?”
- The Fifth Estate: A Business Guide for Surviving “The Troubles”
- Here We Come
- Corporate Revolt Over Campaign Donations Shakes Political World
- Communications
- Apology Mania Sweeps the Nation
- Risk Management in a Cancel Culture
- Amazing Grace
- Corporate Leadership in an Age of Unrest
- Ten Rules For Corporations And Social Issues
- Delta Airlines and the Georgia Voting Controversy
- Developing a Crisis Management Program
- “I Never Felt as Unsafe as I Did That Day”
- How America Scores Changes Youths Through Soccer and Poetry
- Everyone Gets Disrupted
- The Politics Industry
- Look
- Company News
- The Final Episode of M*A*S*H
- Reflections on a Turbulent Year: 2020
- Here We Come
- Recent Awards & Recognition
- Won’t You Be My Neighbor?
- What’s a Director to Do?
- LEVICK Announces Partnership with BCG
- A New Look
- Albert Krieger, 1923-2020
- LEVICK Announces Partnership with Jipyong
- Speaking to In-House Counsel
- Childhood Lessons
- Crisis
- Apology Mania Sweeps the Nation
- Risk Management in a Cancel Culture
- Amazing Grace
- Corporate Leadership in an Age of Unrest
- Ten Rules For Corporations And Social Issues
- Meet Nancy Pelosi
- It’s War: The New Dilemma for Corporations and Social Issues
- Matt Gaetz’s Strategic Struggle Makes Him a Target
- Delta Airlines and the Georgia Voting Controversy
- A Call for Elected Officials to Protect Voting Access
- Richard Levick on Volkswagen’s April Fool’s
- Developing a Crisis Management Program
- Finance
- The World of Financial Crimes with Tom Ajamie
- Can Capitalism Really Be “For Humanity?”
- GameStop: The Buck Starts Here
- Here We Come
- The Threat to Free Markets
- Advisory & Insurance Services
- WATCH: Revolutionizing Litigation Finance
- Litigation Finance: Revolutionizing Litigation
- Consumer-Focused Solutions for Financial Health
- Event: Consumer-Focused Solutions for Financial Health
- Sports: Power and Money in a New Age of Social Justice
- The Balancing Act: The Role of Whistleblowers in American Commerce and Government
- Guest Column
- Guest Blog: The Mainstream Media Gets an A for Intellectual Arrogance, an F for Journalism
- Buckle up Directors: Cybersecurity Risk and Bankruptcy Risk Are Not Mutually Exclusive
- Buckle up Directors: Cybersecurity Risk and Bankruptcy Risk Are Not Mutually Exclusive
- South Africa: The Slow Decline of the ANC
- Why CSR Fails and How to Fix It
- What to Expect Following the European Elections?
- Buhari Inaugurated. What Now for Nigeria?
- Marketing- It’s Up To You…
- Crisis Management lessons from the air-crash investigation model
- The Future of War
- Health
- Reflections on a Turbulent Year: 2020
- Food Issues & the Biden Administration
- Covid-19: The Pandemic that Never Should Have Happened
- Pharma’s Post-Pandemic Policy Outlook
- Keeping Hope Alive
- Real Herd Immunity
- The Fiction of College Sports Amateurism
- Mac Summit: Crisis Communications in a Post-Covid, Post-Election World
- Travel Industry Communications in the Age of Covid-19
- Track of Time
- Is C-19 Taking Women Lawyers’ Careers Back to the 1950s?
- Post-Pandemic PR Strategy
- In Memoriam
- Snider’s Super Foods: Locally World Famous
- Speak Truth With Love, Not Anger
- In Memoriam: Stephen Susman
- Letter to the Movement
- John Lewis’ Life Bridged the Best of America
- Albert Krieger, 1923-2020
- In Memoriam of Marcia Horowitz
- Jim Lehrer Passes Away
- Martin Luther King, Jr.
- Harold Burson Passes Away
- Interviews
- CommPRO: Ruth Bader Ginsberg’s Life & Legacy
- Richard Levick on “My Wakeup Call”
- Primerus Webinar: Into the Wind
- The Future of Baseball Post-Pandemic
- Webinar: The End of Brand Neutrality
- Thought Leadership & Organic Growth
- Man & Superman
- LEVICK Announces New Webinar Series with Turbine Labs
- Navigating Coronavirus Challenges in the Insurance Industry
- VIDEO: How to Anticipate & Avoid a Crisis
- What’s Next? with Julie Chase
- What’s Next?: California Electoral Behavior
- Law Firms
- Litigators: Your Friend for Hire
- Digital Upskilling in Legal: More Than Just New Technology
- An Insider’s View of the Legal World
- Fighting for the Rule of Law with Marshall Harris
- Why Should I Apologize? Lawyers vs. Communicators
- You Took a PPP Loan. Now Get Ready to Talk About It.
- Beyond Black Swan: Positioning the law firm for the new normal
- A Salute to Personal Courage and the Rule of Law
- Cyber Risk Institute Expands Its Profile
- When a client becomes a law firm’s PR nightmare
- The General Counsel’s Dilemma
- A First Look at the Google Antitrust Suit
- Litigation
- Litigators: Your Friend for Hire
- An Insider’s View of the Legal World
- Buyers’ Guide to In-House Tech
- Fighting for the Rule of Law with Marshall Harris
- Why Should I Apologize? Lawyers vs. Communicators
- A Conversation with Abbe Lowell
- Leveraging Legal Expertise in Communications
- You Took a PPP Loan. Now Get Ready to Talk About It.
- Beyond Black Swan: Positioning the law firm for the new normal
- A Salute to Personal Courage and the Rule of Law
- Cyber Risk Institute Expands Its Profile
- When a client becomes a law firm’s PR nightmare
- Our Work
- Bridging the “Preclinical Gap” in Childhood Cancer Research
- Recent Awards & Recognition
- The Cyber Bad Guys Are Getting Worse
- Crisis Communications & The Age of Cancel Culture
- Standing on the Shoulders of Giants
- Video: Conversations with American Legends
- Staying Ahead of the Crisis
- A New Era of Insurance Marketing
- Infographic: Judgment Free Zone
- Infographic: Barriers to Entry
- Infographic: History Meter
- Assistance for Law Firms Engaged in Pro Bono
- Public Affairs
- You’re the Media and You’re Going to Die
- The Politics Industry
- The Politics Industry with Katherine Gehl
- Real Washington with Former White House Press Secretary Joe Lockhart
- From Shareholders to Stakeholders with Don Springer
- The Regulatory Hall of Fame
- Richard Levick on U.S.-China Relations
- The Price of Courage
- Can Capitalism Really Be “For Humanity?”
- GameStop: The Buck Starts Here
- Impeach, Indict, Heal? A Discussion of Post-Trump Washington
- “Crooked Dominion Machines,” Impeachments, Insurrections & The First 100 Days
- Risk
- Should Companies Consider Appointing Chief Paranoia Officers to Combat Disinformation?
- The Price of Courage
- Ingredients of Decency
- ESG Performance and Credit Markets
- The Coronavirus Saga is Just Beginning
- No. 1 Risk of the Decade
- The Risk Evolution of Corporate Risk
- Extend Risk Management Reach
- Collective Action
- Risk Identifying Software
- The New Risk of Doing Nothing
- Political Unrest In Hong Kong
- Social
- A Call for Elected Officials to Protect Voting Access
- How America Scores Changes Youths Through Soccer and Poetry
- Look
- Should Companies Consider Appointing Chief Paranoia Officers to Combat Disinformation?
- The Price of Courage
- Bridging the “Preclinical Gap” in Childhood Cancer Research
- The Ministry of Common Sense
- How to Stop the Madness
- A Remembrance of Tommy Raskin
- No ‘justice’ in rep’s vote
- A Call for Orderly & Peaceful Transition of Power
- Recovering from the Greatest Sacrifice
- Technology
- Digital Upskilling in Legal: More Than Just New Technology
- Should Companies Consider Appointing Chief Paranoia Officers to Combat Disinformation?
- Bridging the “Preclinical Gap” in Childhood Cancer Research
- 3 Tech Lessons Businesses Must Learn From COVID-19
- Constella Intelligence Announces Hunter for Improved Investigation Capability
- Cyber Risk Institute Expands Its Profile
- Digital Politics: The Future of Voting Technology
- Ethics in Electronics
- The Cyber Bad Guys Are Getting Worse
- A First Look at the Google Antitrust Suit
- The Pause
- Cybersecurity Incidents of the Summer
- This Week
- A Remembrance of Tommy Raskin
- A New Year’s Resolution
- Over the River and Through The Woods
- Dropping the Mic
- Won’t You Be My Neighbor?
- The Cyber Bad Guys Are Getting Worse
- What We Hear
- Track of Time
- Video: Conversations with American Legends
- Conversations with American Legends
- A New Era of Insurance Marketing
- American Legend