Book Review | Why Cybersecurity About Culture As Well As Technology

Treat this as an official handbook for creating the base for a standard, adaptable and modern cybersecurity system for any major organisation. Keeping in mind this fast-changing AI-modulated world, Dr Durga Prasad Dube’s book not only talks about the systemic risks that any technical oversight department might be mulling over today, but also tries to create space for a future that looks terrifyingly complex.

The author has organised the book in four parts, each developing on the last, and you suddenly realise that there is no static or standard SOP towards cyber resilience. An interesting and positive observation is on the human factor that encapsulates those mystical phenomena called trust and culture. It rises to the top on the priority list and does not remain restricted to simply ticking all the right boxes in critical, security-related protocols. While that is important, the current world scenario demands an organisation-wide understanding of underlying risks in every action and reaction.

He brings an interesting example, saying: “Traditional security strategies over-invest in tools and under-invest in people. The irony is that the weakest link is almost always human behaviour. Employees reuse passwords, approve fraudulent invoices or circumvent policies to get work done faster...”

The other issue is the use of artificial intelligence. AI today lives as an enabled platform that can deal with possible situations, such as “supply chain attacks and nation-state operations to cloud blind spots and intelligence gaps,” but when the author talks about “trust, sustainability, shared responsibility and... collective defence models”, human interference and/or cooperation is a necessary precondition. One has to remember that while AI has been enabled as a risk detection module, it also has to deal with AI-enabled and generated attacks that, too, are able to alter SOPs.

As the author points out, cybersecurity has changed from “firewalls and encryption” to “trust, accountability and resilience”, which translates to constant human collaboration, all the time keeping every security protocol on high alert. This is a disciplined approach that cannot be overlooked.

So what is to be done when we “want definitive protection in a domain defined by flux”? Good question, though the answer may be less than the obvious. The author points out that “organisations equipped with top-tier tools are still vulnerable to breaches.” And why is that? According to the author, “cybersecurity is as much about culture and management as it is about technology”.

And there is more, as the book points out. The author says that these risks are now intertwined with financial, operational, and strategic risks. Each action, therefore, must be understood to have multiple reactionary effects that may or may not have been addressed by standard protocols, especially when the input of threats is also AI-initiated and, thus, remains undefined.

The book does not advocate specific risk management systems, but points at a generally acceptable receptacle for containment. Hence, while this should be basically considered a text book for the systems boys of organisations, it is also a commentary on the existing and ideal cultural structure of the organisation or group of organisations in question.

Using his 40-plus years of experience, the author has laid out basic architectural philosophies aimed at developing an organisation-wide response to threats that interleave every action of a lumbering organisational system. Overall, this is essential reading for all boardroom members and top management, not to speak of those directly responsible for assessing risks that abound.

Demystifying Cyber Security: Myths, Mindsets and Quest for Resilience

By Durga Prasad Dube

Bloomsbury

pp. 324; Rs 1,499