Cyber criminality has never been so close and eminent. It affects our economy and our social interactions. Security awareness is key for the world to continue performing its activities. The event on Cybersecurity addressed project management from a different point of view.
Cyber security is needed not only because of the big financial impact it has on our industry and economy; it also is impacting our safety.
Up to 3 years ago, when Norsk Hydro was attacked, people thought cyber criminality happened online: crooks exploring new ways to “earn” money by invading unsecure networks, bullying the factories, and claiming ransom before the systems were released.
At Norsk Hydro, the impact was much more sever: it didn’t only impact the systems, it also impacted the safety of their human resources. It is from that point onwards that people started thinking about cyber offences no longer being solely an IT threat, but also an OT (operational technology) threat.
Running a project isn’t any longer only about achieving a goal within scope, budget, and time. Nor is it any longer about following a logical structure that will help us achieving our goals. And neither is it only about monitoring the figures. Cyber criminals make us act beyond all of that.
We: BAs, PMs, Program Managers and Portfolio Managers need to go beyond our methods and work alongside with all departments to establish true continuous process improvement and continuous change management.
Change management awareness has become very important. We need to keep the staff aware that everyone can be lured into a cyber trap.
Obviously, the automated lines of defense are the technical lines, such as firewalls, authentication technics, storage policies and so much more that can be programmed.
However, the real front line is us, the people.
Being aware of all kinds of deceiving messages, links and information that can attract us into a cyber trap will prevent us and our companies from being victimized.
Now, this whole article is evolving from security into awareness, but why?
Being aware that criminals can intrude our network will secure our safety. Our safety will make sure that we can all continue performing our jobs (remaining available operationally). Doing our jobs will keep our data integrity safe and will give us the confidence that, in case of a threat, we’ll be able to act appropriately.
Of course, we’re all human beings. And acting appropriately is not something we keep remembering. So, YES, accidents happen. Therefore, when all possible tools and technics, recurring trainings, continuous improvement are in place, additional insurance can help ease the minds.
This second part of the event, being about cyber insurances, taught us that one doesn’t go without the other.
Simply buying insurance won’t help you from preventing cyber-attacks. It only helps when all above tools and techniques are in place.
Buying insurance also requires a structured approach. This need is there because the insurance box is an empty vault that needs to be filled up with the right requirements. Insurance companies will only be able to cover the risks when a safety maturity study have been performed. This again brings us into the awareness area since such a study will reveal the blind spots in our companies, architecture, and jobs.
Also, insurance will only cover the financial aspect in case of sinister but will still impact your availability of systems and the operational technology.
+The Belgian chapter would like to thank both presenters for demonstrating that cyber security is a combined effort of systems and humans if we want to keep ourselves safe.
By Didier Timperman