I teach cyber risk as part of the Master’s Degree in Cyber Security and the Cyber Executive MBA programmes. I have a slide talking about the landscape which cyber professionals – leaders, managers, operators etc. – have to navigate. In it I list the macro level drivers shaping cyber; geopolitical change, technological innovations, systems convergence, lifestyle changes, business changes, financial turmoil.

This slide is 12 years old, delivered to the very first MSc cohort, and while the rest of the material has gone through radical updates as the science evolves, this slide has never needed updating. Change for cyber is rapid, confusing and happens at an inconsistent pace.

But there is a difference now, cyber security is important!

More than ever, user agnostic news feeds are reporting on cyber breaches and their effects. There are documentary programmes on TV and radio about the effect of cyber security issues. It is incorporated into entertainment programmes. In short, cyber security is culturally pervasive and the implications are profound for cyber leaders; if the market won’t act then governments and legislative bodies will.

The introduction of GDPR and Network and Information Systems Regulations (NIS) was a definite step in this direction. More recently the UK has introduced laws to protect consumers against poor security in IoT or smart products [i]. And while the general consensus is that legislation moves slowly and cautiously, there does seem to be an increasing frequency of change in this regard. Similarly, the consultation regarding new controls for Ofcom around social media protections for children is a response to public pressure. The recent e-gate passport failure is further evidence of this type of shift. It was not enough for the home office to present it as a technical failure, they also had to assert that it was not the result of a cyber attack.

These are all pieces of evidence that society has reached a cultural tipping point. The availability of cyber related information has reached a critical level within society, to the point where it is readily available in peoples’ minds. This then, brings into play peoples affect heuristic, where they can take a short cut to a decision, rather than having to think about it and assess lots of information. We see this affect all the time, where sensationalist news items are all people can remember or talk about. In this case, cyber reporting is now pervasive and persistent.

This is further exacerbated by poor definition of what is cyber; seemingly anything bad that happens with digital systems is considered as a cyber security issue, for example the recent catfishing attacks to members of parliament and Westminster focused journalists[ii]. But while cyber is pervasive in society’s consciousness, society has not reached an understanding of what it wants to do about it. So, the operating landscape for companies and governments is being driven by increasing, but uncertain, cultural pressure.

All this represents a significant shift in the complexity which cyber leaders need to consider, and ignore at their peril. Different sectors have always had differing, complex cyber regulations and legislation to deal. But these are symptoms and like a doctor who only deals with the symptoms, the underlying cause remains un-investigated until more serious, terminal conditions may accrue.

Therefore, cyber leaders must go beyond reacting to the symptoms in front of them. They need to develop the capacity to anticipate and consider drivers outside their cyber focused eco-system, such as cultural pervasiveness. In an increasing competitive economic landscape, this anticipation – the ability to stay at the cutting edge – may mean the difference between a company failing or prospering.

[i] https://www.gov.uk/government/collections/secure-by-design

[ii] https://www.politico.eu/article/uk-parliament-naked-photos-phishing-attacks-mps-staff/