One of the most common things I find myself doing when I get to speak to owner/operators is trying to pitch my philosophy that security is not really JUST about protecting ourselves from the malicious, motivated hacker. Don’t get me wrong, they are out there and the ramifications are potentially significant. (Everyone remember the Aurora project?) And I do NOT want to undervalue the efforts of the many institutions and committees, government funding, research labs and others that pour significant effort into the tracking, monitoring and protection of our interests by defending us from cyber marauders. However, the almost singular focus on the image of foreign (and local) malignant peoples that are probing, snooping, scanning and hacking their way into our cyber systems means we often forget the overall objective of security. I will state it here as it is going to be a recurring theme for me. Our objective is to *protect* the safe, reliable and predictable operation of the critical infrastructure that weaves through all aspects of our lives.

Now securing our cyber space from hackers does have as its objective the safe and reliable operation of cyber systems and the facilities and services they govern. But the other half (or more) of the equation is the unintended or non-targeted cyber threats that exist in everyday electronic interaction. I am talking about the well-intentioned but sometimes less than empowered or enlightened scores of users in your existing systems. I can count on one hand the number of times my organization has been “hacked.” But I run out of fingers and toes if I try to count the number of times a colleague has opened an email, clicked on a link or brought in a USB drive that had a virus or worm on it. The impact to our operations was significant and no amount of perimeter scanning for hacking attempts would ever prevent it because the threat was invited in! Hand-delivered to the desktop and launched by a vetted, trusted and otherwise clever, productive employee.

The point is simply this: If you are trying to convince yourself, your budget or your employees that they have to install 2 or 3 factor authentication tools, intrusion detection services, create cyber security incident response teams, antivirus, backup, restoration, change management, account management (etc etc) tools and processes to protect a tiny little hydro dam that does more for water levels than it does for power production you are going to have a hard sell. If, however, you embrace the concept that best practice dictates due process and awareness supported by technology in the interest of being able to expect the expected, you might have an easier time getting everyone to pitch in. After all, you are only as secure as your least “secure” employee.