Learn about the CyberSecureFlorida initiative, a statewide critical infrastructure cybersecurity risk assessment that is voluntary and free to both the public and private sectors. This event will be live streamed via Zoom with interactive Q&A.
Learn about the CyberSecureFlorida initiative, a statewide critical infrastructure cybersecurity risk assessment that is voluntary and free to both the public and private sectors. This event will be live streamed via Zoom with interactive Q&A.
Lunch provided
Tallahassee Community College Center
444 Appleyard Dr,
Tallahassee, FL 32304
Note: The location has changed from the Center for Innovation to the TCC Main Campus. Building, room, and parking information will be emailed to registrants.
This event will be live streamed via Zoom with interactive Q&A if you are unable to attend in person.
n
July 18, 2022—TAMPA, FL: After helping to oversee a period of rapid change and dramatic growth at the Florida Center for Cybersecurity (also known as Cyber Florida), Staff Director Ron Sanders, DPA, has announced his retirement. Dr. Sanders first served as a member of the Board of Advisors upon the center’s founding in 2013. In 2020, he was brought on as staff director under former Executive Director Mike McConnell, VADM, USN, Ret., who has also recently retired. During his tenure as staff director, Dr. Sanders championed several new initiatives that garnered national recognition for the center and helped secure significant new funding for a series of efforts to improve the state’s overall cybersecurity posture.
“I am grateful to Dr. Sanders for his many notable contributions to this organization,” said the center’s new executive director, General (Retired) Frank McKenzie. He continued, “His leadership was instrumental in elevating Cyber Florida to national prominence, and together, he and VADM McConnell built an impressive legacy. I’m proud to carry on the remarkable momentum they created and wish Dr. Sanders well in retirement.”
Dr. Sanders’ career includes nearly three decades of decorated civil service. Among his many accomplishments, he helped lead the historic post-Cold War transformation of the U.S. Defense Department and the post-9/11 stand-up of the Department of Homeland Security and the Office of National Intelligence. He managed the recruiting, development, and deployment of thousands of new intelligence officers to fight the Global War on Terror and the restructuring of the IRS. He helped establish the United Arab Emirates’ cybersecurity and space agencies and China’s National School of Administration. He was also a presidential appointee, serving as chair of the U.S. Federal Salary Council from 2017 to 2020.
Dr. Sanders is the recipient of three Presidential Rank Awards (from DOD, IRS, and the U.S. Office of Personnel Management), two Teddy Roosevelt Distinguished Public Service Awards, and the National Intelligence Distinguished Service Medal. He is the author of four books and has served on the faculty of several distinguished institutions, including George Washington University, The Brookings Institution, and the University of South Florida.
During his tenure with Cyber Florida, he led the transformation of the University of South Florida’s online M.S. in Cybersecurity into four independent cyber-focused master’s degree programs to better align with employer needs. He advocated for the launch of the center’s highly successful Operation K12 program, and his passion for public service led him to create the Cyber Citizenship Education initiative, designed to teach K-12 students to navigate online misinformation and disinformation, among other accomplishments.
ABOUT CYBER FLORIDA
The Florida Center for Cybersecurity, also known as Cyber Florida, was established by the Florida Legislature in 2014 to help position Florida as a national leader in cybersecurity through education, research, and outreach. Hosted by the University of South Florida, Cyber Florida leads a spectrum of initiatives to inspire and educate future and current professionals, support industry-advancing research, and help people and organizations better understand cyber threats and what they can do to stay safer in cyberspace.
###
After a highly distinguished career in public service spanning more than five decades, the Honorable J. Michael “Mike” McConnell, VADM, USN, Ret., has retired as executive director of the Florida Center for Cybersecurity at the University of South Florida (USF), also known as “Cyber Florida” as of June 30, 2022. General Frank McKenzie, USMC, Ret., has been appointed by USF President Rhea Law to be Cyber Florida’s new executive director. General McKenzie will also be leading USF’s new Global and National Security Institute [link to USF news article].
McConnell first served as chair of the board of advisors upon the center’s launch in 2013. He assumed the role of executive director in February 2020 at the behest of then-USF President Steven C. Currall. During his two-and-a-half-year tenure, McConnell elevated Cyber Florida from a regional center to a truly statewide entity, helping to guide policy at the state level and expanding the center’s reach beyond the State University System of Florida to include the Florida College System and the state’s public school districts, the state’s defense extensive defense industry, and several federal agencies. Under his guidance, the center also forged strong relationships with Florida’s military community, robust defense industry, and several federal agencies, including helping to bring in several million dollars in grants from the National Security Agency.
“We sincerely thank Vice Admiral McConnell for his decorated career of service to our country and his many important contributions to the success of Cyber Florida. We wish him the best in a well-deserved retirement,” USF President Rhea Law said. “With the foundation Vice Admiral McConnell helped establish, I look forward to seeing Cyber Florida continue to strengthen the cybersecurity industry across our state and the nation in the future.”
General Frank McKenzie, who recently retired from the U.S. Marine Corps as commander of U.S. Central Command, has taken over as Cyber Florida’s new executive director as well as leading USF’s new Global and National Security Institute.
“Vice Admiral McConnell has set Cyber Florida on a solid trajectory to position Florida as a national industry leader and model state for cybersecurity, and I intend to carry on that mission leveraging the strong momentum he and his team have created,” said McKenzie.
When we think of insider threats, the common image is that of a disgruntled employee who takes out their anger on their employer or their manager. Research from the University of Central Florida reminds us that this is seldom the case.
While investment in cybersecurity has risen considerably in the face of a huge increase in attacks during the pandemic, often this investment has focused on technologies to try and keep data and systems safe. While such investments are worthwhile, the most vulnerable part of any system is almost certainly going to be us humans. The authors highlight that when organizations do have cybersecurity training, there is often an implicit assumption that insider threat attacks are done with malicious intent.
The reality, however, is that our failure to comply with the cybersecurity processes of our employer is more likely to be driven by stress. The researchers quizzed around 330 employees who were working remotely during the Covid pandemic. The workers were asked about their adherence to the cybersecurity policies of their employer alongside things such as their stress levels.
They followed this up with in-depth interviews with a group of 36 employees to try and get a better idea of just how the shift to remote working as a result of the pandemic may have affected cybersecurity. The results show that adherence to security policies was pretty intermittent. Indeed, on a typical workday, 67% of participants said that they had bypassed official cybersecurity policies at least once, with there being a 5% chance that they would do so on any given task.
It should perhaps be self-evident that breaches on this kind of scale are unlikely to be driven by widespread discontent with one’s boss or employer, and this was indeed what the researchers found. Indeed, the top response when asked why people circumvented security protocols was that doing so better helped people to get things done, either for themselves or for a colleague. This reason accounted for around 85% of all intentional breaches of the security rules. Contrary to popular perception, an intentional desire to cause harm only accounted for 3% of the security breaches. To put that into perspective, that makes non-malicious breaches around 28 times more likely than deliberately malicious breaches.
Importantly, the relatively benign breaches were far more likely on days when employees were suffering from stress. This strongly suggests that being placed under stress reduces our willingness to abide by rules if those rules are perceived as stopping us from doing what we need to do.
The causes of stress are oft-cited and include family demands, job insecurity, conflicts with our colleagues, and even the demands of the cybersecurity rules themselves. However, there was a clear link between the pressure people faced to do their job and the belief that cybersecurity procedures inhibit their ability to do that job as effectively as they felt they needed to. Adhering to protocols often resulted in feeling like jobs take more time or effort to complete, with employees also complaining that the protocols made them feel like they were being monitored and couldn’t be trusted.
The researchers accept, of course, that their findings were a result of self-reporting from participants, so they would only be able to report on cybersecurity breaches that they were themselves aware of. This will mean that breaches as a result of a lack of knowledge or poor practice will have almost certainly been overlooked because people only know what they know. The findings do nonetheless remind us that insider threats are seldom the result of malicious and deliberate intent but rather due to a lack of training or intense pressure to get things done as quickly as possible.
So what can managers do to improve adherence to the guidelines and, therefore, the security of their systems? A good first step is to appreciate that the overwhelming majority of security violations are intentional and benign. People simply want to get their work done as efficiently as possible, so cybersecurity training should work on that basis and inform employees how they can do this while still remaining secure.
It’s also important that people feel confident enough to speak up whenever they breach security policies, as the quicker they can do this, the quicker the challenge can be addressed, and any security risks plugged.
“How do people react when the employee makes a mistake,” Kaspersky’s Chris Hurst says. “It’s crucial that if employees make a mistake that they’re confident enough to open up about it and escalate it to people who can do something about any possible risks involved.”
It would also be prudent to ensure that staff are included in the development of security protocols. This would help to ensure that protocols aren’t developed that would inhibit people’s work and result in them striving to find workarounds that reduce the effectiveness of the protocols themselves. By better understanding how protocols affect people’s workflows, security teams will have a better chance of adherence. This is especially important as people have moved to remote working and therefore taken on different ways of working.
Of course, tackling the stress and pressure that workers are under would be no bad thing either, but perhaps the key takeaway from the research is that the way we design our jobs and the way we design our cybersecurity are intrinsically linked. With cyberattacks on the rise and affecting most organizations, it’s no longer good enough to assume that insider threats are the result of a few bad apples but rather the poor way in which jobs and security protocols are designed. Once we grasp that, we can perhaps start to make positive headway.
As seen in The Cyber Post: https://thecyberpost.com/news/security/stress-prompts-employees-to-break-cybersecurity-policies/
