America’s ‘culture of security’ imperative is here

As a chief technology officer of a cybersecurity company, I’m often asked what it will take to mitigate the cyber risks we face today. While technology certainly is a big part of the answer, it’s not the only factor.

We need to create a culture of security — a culture in which security is baked into the vision and values, and where security serves as a lens through which every decision is viewed. Building a culture of security means security isn’t just a job for the information technology and security experts, but a mindset and best practices that influence hiring, partnering, technology development, internal and external communications — everything.  

{mosads}In Silicon Valley, for example, the culture of risk-taking is embedded in people’s values and actions. You don’t have to teach entrepreneurs that experimentation is good and that failure is a necessary part of the innovation process; they simply know it’s true and act on the basis of it.  We need the same kind of cultural attitude about security — one where people don’t even have to think about it, but automatically incorporate security into their processes.

It also is an economic imperative to create a culture of security. The U.S. Council of Economic Advisers estimates that cybercrime cost the U.S. economy between $57 billion and $109 billion in 2016 alone. A 2018 report by the Center for Strategic and International Studies (CSIS) estimates that cybercrime costs the world economy almost $600 billion, or 0.8 percent of global gross domestic product.

While understanding the impact of cyber is necessary, it is not sufficient. To build a culture of security requires action and a broad-scale change in behavior. This may sound daunting, but the United States has a history of changing behavior when we put together the right combination of tech, policy and communications.

In 1966, Congress authorized the federal government to set safety standards for new cars by making seat belts, padded dashboards and other safety features mandatory by 1968. By 1979, all states had laws requiring infants and young children to wear seat belts or sit in car seats. Then came national ads from the U.S. Traffic Safety Administration with slogans such as “It’s a nice way to say I love you.” Those were followed by perhaps the most influential part of the safety equation: “Click it or Ticket.” That catchy slogan rolled out nationally, through advertising directed largely at teens.

Through improved technology, laws and thought-changing communication campaigns, America’s view of seatbelts and car safety evolved, and the number of car deaths decreased significantly from over 53,000 in 1968 to less than 38,000 in 2016 — despite three times as many miles now driven each year. In essence, we can credit the combination of using technical innovation such as seat belts, anti-lock brakes, airbags and collapsible steering columns in conjunction with new attitudes around using the technology and reducing threats that were caused by unsafe behaviors, such as driving under the influence of alcohol or drugs.

So how do we apply these examples to better protecting our nation from cyber threats?

There’s no question that we’re going to need the help of policymakers to support a multi-year culture of security campaign, just as they supported the seatbelt and anti-drunken driving campaigns of the past. Implementing effective public policy cannot rely solely on traditional government tools such as legislation, regulations or taxes.

Adopted strategies should be comprehensive and balanced, and include education, public information, mass media, appropriate legislation and encouraging measures such as grants or other forms of assistance.

It also is critical for legislators to hold hearings on how to build a more substantive culture of security, inviting experts from cyber and other fields to share their perspective on how we can create a different mindset and effect behavioral changes.

These are high stakes. Businesses and governments know it. Consumers? They’re coming around. Nearly everyone who uses a credit card or has an email address has encountered cybersecurity threats, from phishing emails and frustrating malware to stolen identities and financial fraud.

As attackers grow more sophisticated, and the threat of large-scale attacks against our national security increases, we can’t be passive. We need to act to instill a security-first mindset in every citizen and every business in the United States. We need political will, we need business leadership, we need targeted campaigns, we need technology — and ultimately, we need citizens to stand up to help protect our nation and the world. When we’ve accomplished this, we will have built a culture of security.

Steve Grobman is senior vice president and chief technology officer for McAfee. In this role, he sets the technical strategy and direction to create technologies that protect smart, connected computing devices and infrastructure worldwide.