Australian companies and governments need to put the human element back into cybersecurity and focus on building a narrative around the industry, according to the Australian National University’s Cyber Institute chief executive Lesley Seebeck.
Ms Seebeck, who is the former chief investment and advisory officer at the Digital Transformation Agency and chief information officer at the Bureau of Meteorology, delivered the keynote address at the Gartner Security and Risk Management Summit in Sydney.
She spoke about how cyber security experiences relate to Greek tragedies, why the human factor needs to be returned to cyber and her work at the Cyber Institute.
Speaking to InnovationAus.com, Ms Seebeck said the human factor isn’t currently being considered enough when governments and companies approach cybersecurity.
“We have to remember that it’s a mix of technology and people. Invariably people tend to think that it’s a tech issue and it gets pushed off and doesn’t get the attention it deserves. The people part gets overlooked,” Ms Seebeck said.
“There is a problem with focusing just on the technical. Cyber is essentially an entirely human activity – this is something that we built and we operate inside it. Everything we do is going to be shaped by human values, human activities and human assumptions. The technology is a human artefact.”
While cyber is often thought of as a domain similar to air, space or sea, it needs to be seen as a man-made technology, Ms Seebeck said.
“It’s actually not a domain in the same sense that they’re talking about. You can’t change the air and on land you’re bound by geography, but cyber is something we’ve created,” she said.
“We need to put humans at the centre and build stories around them to understand the nature and environment of why these things happen,” she said.
“Unless you explain why things happen, and they’re often the result of business decisions, then it will happen again and again. Build the narrative around both success and failure, harness that. Make it an art form, in a way that resonates in your particular culture. Find a common point of reference.”
The cyber industry needs to be better at forming narratives around itself, focusing both on its successes and failures. Ms Seebeck compared this to Greek tragedies, which centre on human hubris and complacency.
“That’s part of getting the cultural change. It will take work, time and effort, and input and investment. It’s all about people and what happens when people get things wrong, what happens when they suffer from hubris and complacency,” she said.
“We can all share war stories about incidents we’ve had and find comfort in that but we need to show people how to move on. We need to use that as a narrative to tell the story, because cyber is lost in technical jargon and you lose the human part. We have to look for narratives.”
Significant cyber incidents that we’ve seen in recent years can greatly damage trust in society, Ms Seebeck said.
“Cyber undermines trust, all the way down to the social and technological stack. If you have a low-trust society then that comes at a cost – you’re not as efficient, not as productive, you’re suspicious and you don’t build connections easily,” she said.
“We need to make sure we’re solving the problem, something that helps protect us and the future and lets us operate as a healthier society and economy.”
The ANU’s Cyber Institute aims to do this. Launched at the end of 2017, it was touted as being Australia’s first interdisciplinary cyber institute, combining expertise from across a range of fields to conduct research to lead the nation on cyber.
“We need that interdisciplinary approach. Technology alone can’t solve this – the social side needs the technology. That’s the step-change we need to have,” Ms Seebeck said.