Exposing Mental Roadblocks Hindering Cybersecurity
The question often arises as to whether Cybersecurity is a technical issue or a people problem. I think this question by nature is inadequate in the broad-stroke label of a 'people problem.' It discounts the reality that people have perspectives that are formed by their environment and experience. Right or wrong, all viewpoints must be respectfully considered valid and relevant in the conversation. Ignoring the psychological component is inhibiting the momentum of Cybersecurity in these industries.
Most water and wastewater utilities have Cybersecurity postures directly attributed to the psychology of those that make decisions on their behalf. Much of the current industry perspective has been formed, at least in part, by common psychological roadblocks that fall into one or more categories. Some of these roadblocks are perception-based, and some are very much reality-based. Most are a combination of both. It seems critical that these perspectives are acknowledged first and foremost, then individually explored to expose the source of each to determine how to move them out of the way. This transparency is often the most challenging obstacle. The discussion requires vulnerability and trust, not only in conceding that these causes of hesitation and confusion exist but in disclosing the state of owner systems as part of that concession. Exposing them in this way may help instill confidence that these are shared perspectives within the water and wastewater communities, not just individual ones. Once these roadblocks begin to move for utility decision-makers, culture change begins. Improved Cybersecurity cultures across multiple utilities can (and likely will) lead to collective momentum that results in significant industry progress over time.
With this hopeful goal in mind, communication and education seem to be the tools needed to get these psychological fixtures out of the way. Here are a few perspectives encountered in my experience. Comments from the industry community are welcomed and appreciated, including any viewpoints that I no doubt overlooked. The conversation around this topic, much needed at this stage, should consider all perspectives.
1. The belief that sufficient protection is in place now
"We haven't had a problem, so?"
2. Legacy components in the system create obscurity that modern threats cannot exploit
"Our system is from a different time, before the internet; we will worry when we upgrade it."
3. Near-total reliance on integrators and consultants to include appropriate controls
"I rely on the knowledgeable and talented staff in the organizations that design and implement these systems to account for Cybersecurity."
4. Cyber information overload
"I am simply overwhelmed by the sheer quantity of information available and unsure where to start."
5. Lack of faith in solutions to provide real protection
"I'll take my chances."
6. Shortage of information on prior industry incidents that are relatable
"We don't seem to be an interesting or compelling target."
7. Too many other priorities for time and money, and addressing Cybersecurity takes both
"We don't have a budget for Cybersecurity."
8. Need justification to develop a budget, lack of clarity on the ROI of implementing controls
"I can't make a case to the board if I don't understand the cost and cannot quantify the benefit."
9. Absence of professional emphasis on Cybersecurity in industry
"My integrator knows this technology; they must understand Cybersecurity."
10. Unavailable internal resources to manage a Cybersecurity plan
"We don't have resources to implement Cybersecurity policies, much less manage them."