Cybersecurity is a positive word
For as long as the cybersecurity industry has existed, fear has been used as a key ingredient for changing behaviour of people and organisations. But is appealing to fear really the best way to motivate actions within the rail industry? No.
As cyber attacks incidents increase in frequency, and exposure, within the media, it is easy to see cyber threats as disablers, but additionally to view cybersecurity measures to prevent them, as a burden. Large monetary losses from cyber attacks, reported in the media, can make many feel helpless, believing they can do nothing to stem the tide.
Yes, it’s true that cyber incidents can lead to worrying incidents, and the news should indeed report on these cases. But if we are striving for lasting changes, we should not scare people into becoming more secure. Inflated headlines and scare tactics aren’t driving change; they are disempowering it. Cybersecurity should be a source of positivity, not fear.
The rise of ‘FUD’ in cybersecurity
The rationale for the use of fear comes from the belief that you can make someone care about something, by highlighting unpleasant consequences if they don’t take the recommended action to avoid it.
Unfortunately even cybersecurity vendors and professionals are increasingly harnessing this opportunity to commercialise and sell based on that fear. The drive to stand out, by being bolder than those around them, has led to an overreliance on FUD (fear, uncertainty, and doubt) to get ‘viral’ attention.
This pattern often gives the impression that cybersecurity is a black hole, that no matter how much an organisation invests in cybersecurity, it always has to invest more. Aggressive vendors prefer to have a customer that will buy what they are told to buy, rather than what the customer wants to buy.
Although cybersecurity incidents are on the rise, and the capability to carry out attacks has evolved, the hysteria generated from the media and cybersecurity industry’s fear-mongering has some worrying, and destructive, side-effects
Defensive mode
When we feel fear, our brains go into a ‘defensive mode’. At an organisational level, operating in a defensive mode can be crippling. It can lead to missed opportunities to evolve and grow, due to a lower appetite for risk and change.
Cybersecurity should not be a blocker for moving forward and not taking risks. On the contrary, cybersecurity is about enabling positive changes, moving forward and taking risks while remaining conscious of what is at stake. An inherent cybersecurity mindset will nurture confidence and support the rail industry with additional digital upgrades to systems and services.
Security through obscurity
Many organisations in rail are reluctant to be open about their security postures, due to the concern it will make them targets for spiteful attackers. This comes from an outdated view of hackers that live in darkness and hack companies just to boost their reputation. Attackers go after money and data, not praise. Their attacks are generally focused on those with low security as easy targets, and not those with a publicly acknowledged high security posture.
Security through obscurity, as it is called, is an ineffective practice that has been driven by fear rather than confidence. The rail industry should celebrate their security investments. It is both a powerful deterrent, and shows a great level of cyber maturity.
“This doesn’t affect me“
It’s a well discussed phenomenon that fear invokes the ‘flight or fight’ response. However, there’s a third response – the ‘freeze’ response. Sometimes fear can simply paralyze us - becoming the ‘deer in headlights’. Occasionally we can get overloaded with negative and frightening news, leading us to simply shut down and block out the message.
In the context of cybersecurity, this manifests as being so overwhelmed by the FUD, that organisations becoming unwilling to put together effective strategies to protect themselves. It creates a “this won’t happen to me” mindset and a desensitisation of the threats.
Compliance as ‘tick box’ exercises
Cybersecurity standards in rail, like many industries, have been weaponised. They can be seen as ‘comply with this or else’.
The reality is that the standards are not created as a commercial model based on catching negligent companies, forcing them to pay hefty fines. Cybersecurity standards are developed, by collective groups of experts, to ‘level up’ the industry. They guide many people through an unknown path, by differentiating between what is good and not good.
Working towards compliance with rail cybersecurity standards should not be seen as an obstacle, burden or simply tick box exercise. It is an opportunity to develop lasting cyber security resilience, with a top down approach throughout the organisation.
Empowering our customers with cybersecurity
We are all responsible for changing the narrative in cyber security away from fear, uncertainty, and doubt. Many cyber attacks are due to a lack of due diligence and due care, not because a foreign superpower targeted vulnerabilities.
At RazorSecure, we are keen to show the unique opportunities for empowerment, that cybersecurity presents. Instead of “do this, or you will get hacked” our approach is “do this, and you will enable good things to happen… while also not getting hacked”.
Cybersecurity does have a cost, but instead of seeing it as a tick-box burden, we can look at ways to leverage these investments to create direct value. Good cybersecurity programmes can help the rail industry receive better premiums with insurance companies, or leverage the cybersecurity posture trust developed with partners and customers to derive new business and relationships.
The rail industry would benefit from viewing cybersecurity not as a single outcome, but actually a long term series of improvements and capabilities, it’s a journey not a destination. That journey begins with a positive, and collaborative, conversation.