The Pillars of Cyber Discipline

“The Warrior Ethos embodies certain virtues—courage, honor, loyalty, integrity, selflessness and others.”

-Steven Pressfield

Ethical Conduct 

Ethical conduct forms the backbone of cyber discipline. It involves understanding and adhering to a code of ethics that respects privacy, confidentiality, and the integrity of systems and data. It also includes not engaging in activities such as hacking, phishing, or spreading malware, which are not only unethical, but illegal. 

Risk Management 

Effective cyber discipline involves identifying, assessing, and mitigating cyber risks, and conducting regular audits and assessments to identify vulnerabilities, and implementing measures to address them. In risk management, it is critical to develop a robust incident response plan to ensure quick and effective action in case of a security breach.

Holding a company accountable for the risks they accept on behalf of their customers…and, for example: not raising prices to push on the customer because of a failure to do what is right. It’s not always right to do what is easy. 

The Impact of Cyber Discipline on Cybersecurity: Building Trust 

In helping to build trust among customers, stakeholders, and the wider digital community – by demonstrating a commitment to ethical conduct and data protection – organizations can enhance their reputation and build stronger relationships. 

Building trust also comes at a price. A lot of companies believe they are “secure”, but when you look under the hood, there is an unencrypted PAN (Primary Account Number) data on their LAN (Local Area Network). That could be a risk that was accepted simply because it was “too hard” or “too expensive to fix” or, the best one – “we could, but don’t want to”. The other idea that MPLS (Multiprotocol Label Switching) is “secure” so sending PAN data down it because there is a legal document in place that if data gets stolen, they are absolved of the blame, is how some payment processing businesses are operating. This is the risk acceptance that they are willing to take to “Keep the Lights On”. This is more the rule than the exception. Companies will accept the risk with the mindset, “what are the chances…” Something to ponder on when we accept the EULA with companies.  

Enhancing Data Protection 

What does this even mean? What do we expect? Seems like an amazing LinkedIn buzzword that C-levels use to captivate and capture audiences. But how do you enhance data protection? When you have companies ignoring their own RMF (Risk Management Framework) to not lose revenue, is that enhancing the data protection? The digital can gets kicked down the road and companies pray to not get breached. It worked very well for MGM, Boeing, 23andMe, and many others.  

Enhancing data protection must come from the mindset that you want security over compliance (bare minimum), to accept that risk acceptances are not the default but the Alamo plan.  

Regulatory Compliance 

Regulatory compliance is the bare minimum that is not security. Compliance is a list of “duh” that you should be doing out-the-box. Compliance is an excuse to say, “we did everything we could” when in fact you didn’t. It was the lack of discipline and ethos to get done what is needed and not push it down the road to make it someone else’s problem.  

In conclusion, cyber discipline goes beyond mere adherence to rules. It’s about fostering a culture of responsibility and respect in the digital space. By doing so, companies can start being “offensive” against hacks instead of constantly on the defense and spending money and losing after the fact.