On Tuesday, April 25th, ASK had the privilege of being a sponsor and panel moderator at the Michigan Manufacturers Association (MMA) 2017 MFG Forum. This year’s forum theme was cyber security, business innovation, and the importance of protecting your business’s network. ASK’s Josh Gembala wrote the following article for the MFG Forum program:
Does your corporate cyber security program really work? Probably not.
This is a bold assertion to make considering we know very little about the organization you own, manage, or work at. However, we are going to make it just the same though, and here’s why. Every day we see failed cyber security programs in every industry, and at companies of every size. Companies are always confident in their implementation, yet these programs all fail in the same two ways. Right now, you are probably saying to yourself “That’s not the case here. I have spent the money on infrastructure, security solutions, employee training, and cyber security insurance. I’m a rock in the cyber security ocean”. You would not be the first person to believe this while being entirely wrong.
So why do so many well-funded programs fail to achieve anything more than a check in an auditor’s box? It almost always comes down to cultural exceptions and an I.T. department that has not been empowered to focus on security.
Like it or not, business culture requires attention to creating an effective cyber security program. If think your I.T. department will successfully resolve this alone, you are mistaken. Eventually, they will concede to personal preferences or submit to the continuous stream of complaints about “how it used to be.” The bottom-up approach always fails and leads to a watered-down program implemented by employees now indifferent to its success. If you want to succeed, you need a buy-in from every level of leadership starting with the executives.
One of the most frequent problems we encounter when working with clients is their resistance to dedicate physical resources to security. From the largest to the smallest I.T. departments, this is a constant challenge. If you do not assign resources to your cyber security program, other tasks will eventually take precedent. Tasks such as log correlation and threat research will be preempted by the project that needs extra resources or the new sales associate’s computer that needs to be road ready by tomorrow. If you disagree with dedicating resources to cyber security, then ask yourself what benefit your expensive tools provide when no one is using them.
What is the solution? Step back, stop throwing money at technology, and critically evaluate what you have in place. Ensure your organization is fostering a culture of security from the top down. Make sure to have personnel dedicated to the solutions you have implemented, and acknowledge everyone is responsible for the success or failure of a corporate cyber security program.
To learn more about MMA and additional resources on cyber security strategies for manufacturers: