GUY GOLAN: As in aviation’s gripe sheet, focus should be on cybersafety, not security

Cybersecurity is a giant risk, and company leaders must pay attention to it. But if we continue to sow more panic than encourage collaboration, the bad guys will keep winning. How do we turn this issue around? The aviation industry offers a clue.

Every flight we catch has room for many errors. When an aircraft arrives at its destination, pilots present the ground staff with a gripe sheet, a tally of problems they encountered during the flight. These can range from major to minor, though most often it’s the latter. Most flights land without their passengers knowing about these issues. No-one shows you the gripe sheet as you disembark.

Imagine if they did. What if the passengers could go to the flight deck for a comprehensive error list? The pilots wouldn’t be able to perform as well as needed, and the passengers might die of heart failure before any crash could get them. There certainly are things the passengers should know, such as coming turbulence, bracing for a rough landing or (horrifyingly) that the coffee machine isn’t working. But the pilot makes that discretionary call and the passengers don’t worry about every item on the gripe list. This way millions of people fly safely and relaxed every year.

Cybersecurity does the opposite, making the lives of leaders much harder. Quite correctly, several laws and governance standards place the responsibility of digital security on the shoulders of CEOs, boards and their peers. Yet it also puts leaders in a tough spot: they feel they must pay attention to every security detail, which they do not and cannot. So the good intentions of holding company leadership accountable risk backfiring.

This is why I bring up the example of flight errors. It’s a good reflection of what cybersecurity does wrong and why we should talk about cybersafety instead. In cybersafety leaders don’t sweat every detail. They have professionals who handle key concerns and elevate problems to the appropriate levels. Think of a manufacturing business. If there is a machine that could imminently malfunction and release gas that would kill everyone on the floor, the CEO should know about it immediately. But if the paving outside the workshop is uneven and a tripping hazard, that’s an item the CEO can address during quarterly reviews.

Right culture

We don’t expect leaders to be on top of every risk in their business. Yet cybersecurity does, encouraged by an industry eager to sell solutions. It's common to find companies spending millions on big brand security, yet those measures often don’t substantially reduce their cyber and business risk.

Cybersecurity is much more complicated than having the right technology. Cybercriminals are motivated and creative. Technology helps stop them. But real defence requires the right culture: a cybersafety culture that understands the business and provides accurate, real-time and contextualised data for all relevant stakeholders to make the right decision. Just like being on a flight.

Cybersafety stands on several pillars. The leadership and board must accept that cybercrime is an ongoing but manageable threat. They should include security voices at their level, such as a security-savvy board member or a chief information security officer. They should also build a relationship and rapport with those experts, trusting them and the integrity of their data. In return, the experts shouldn’t “pass the baton” but rather present something the business leaders can understand.

There should be different lenses for the CEO, board, chief information security officer, and cyber engineers when discussing the same topic.

Everyone must also understand that there are no magic solutions, that security is continual, and that the best security risk mitigation comes from delegation and collaboration.

Digital health

Cybersecurity doesn’t belong on a pedestal. Companies must treat it just like any other department. Leaders should stay informed, but interventions depend on a cybersafe culture. Just as a safety officer knows it is stupid to call the CEO at 2am about an uneven pavement, cybersafety emphasises context and relevance as part of knowledge. Cybersecurity tends to induce panic.

Cyber practitioners ensure the digital health and safety of an organisation. The industry often behaves as if cyber is a commodity, presenting data about the yield of its endeavours. CEOs and boards benefit most when they have the support of a cybersafety culture. It enables them to drive their organisation’s health and safety and ensure they can focus on their business with minimal interruptions. Cyber practitioners ensure their journey is safe on the flight path the business decides to take.

I might be accused of indulging in semantics. But fighting cybercrime is foremost a culture and a community, not big bang security products, pinpointed services and bragging about the new thing we manufacture. If companies treat cybersecurity like another department, not the bogeyman under the business bed, we’ll make a more cybersafe world.

• Golan is CEO and founder of cybersecurity company Performanta.