Business of all types require true cultural shifts, where cyber risks are looked at holistically within the architecture of a business - with attention at the top executives at the C-Level.
Panelist Jeff Kramer of consultant Syzygy Solutions described the cruise shipping industry as offering a unique set of problems because all the normal business issues - multiple operational systems, safety systems and personnel management are overlaid with the need to create satisfying and unique experiences for passengers.
Joe Mitchell, senior systems engineer, BitSight Technologies, which rates the security effectiveness of different business, talked about security having its own eco-system, telling the audience ‘it goes beyond your own company…you need to look at vendors and customers.’
Part of the cultural change espoused by the panel involves fundamental re-architecting of business design; multiple panelists stressed that the ‘silo’ approach, where a particular system is looked at in isolation, will no longer work.
Kramer talked about cyber is being ‘a collective network that has spread across the entire business,’ adding that ‘It’s very challenging because business focuses on individual processes, but cyber is systemic.’
US Coast Guard Rear Admiral Paul F. Thomas, whose responsibilities include Prevention Policy, offered analogies to fundamental changes in the nature of company architectures in response to earlier technological changes from sailing ships to steam powered vessels, saying: ‘Cyber is much more than security- it’s how we operate,’ emphasizing the need to think about the design and operation of cyber systems, just like other shipping systems, with design built in- well before the actual implementation.
Panelist Chris Scott from CrowdStriker Services recommended entering into retainer agreements (colourfully described as a “Break Glass” arrangement) so specialists could quickly be mobilized in the wake of an incident. Other panelists mentioned ‘Table top exercises’ to simulate cyber-catastrophes- again, not dis-similar to the environmental emergency preparedness drills that shipping companies regularly engage in. Still another panel member likened cyber preparedness to the lifeboat drills conducted on cruise vessels.
Kramer offered practical advice on navigating internal corporate landscape s- with the objective of getting needed internal resources to fix cyber problems. He said, that you need to put cases ‘into business terms, have a business conversation, talk about costs, opportunity costs and to emphasize the problems with the most serious consequences.’
He said that front line shipping teams with cyber problems to solve might seek a champion in the organization who can help have ‘a good business conversation’ in the language of the top executives.
The U.S. Federal government is reaching out to industry, with Scott Janezic, an official from the Federal Bureau of Investigation encouraging shipping companies in South Florida to develop relationships with law enforcement personal in advance of an incident, and to join local working groups such as Infra-Gard, a group spearheading cooperation between the FBI and private businesses.