Michael Cole, CTO, European Tour Group explores the critical role employees play in building a robust cybersecurity culture and how they can serve as the strongest first line of defense—transforming them into a “human firewall.”
Cybersecurity is not just about technology; it’s also about the organization’s culture and its people. This month is Cybersecurity Awareness Month, reinforcing the understanding that cybersecurity is everyone’s responsibility and that employees do not have to be and should not be the weakest link. They are critical to every organization’s cyber strategy and can be the strongest first line of defense, acting as a human firewall.
Securing ETG’s Smart Cities
Professional golf has undergone a huge technological transformation in the last few years with data analytics, biometric analysis, virtual reality training, and other digital advancements. Also, there have been innovations in broadcasting tournaments on TV and online, which is a complex endeavor due to the use of up to 120 cameras across 18 holes over four days.
The ETG tournaments are divided into four separate tours: the DP World Tour, the Challenge Tour, the Legends Tour, and the G4D (Golf for the Disabled) Tour. They are staged in 40 countries, and more than 150 golfers playing at a tournament. In addition to these events, ETG also manages the European side of the Ryder Cup tournament. These tournaments are televised in over 160 countries, an addressable market of over 600 million households.
The use of smartphones for video and imagery used to be banned on the courses, but now the ETG has implemented a “digital first” approach to always give stakeholders the correct information at the right time. This is why we now have many online applications. There’s one app for volunteers and another for players. There is also an app for incident management for health and safety along with an app for fans around the world and, of course, one for fans on the course, transforming the golf courses into operating like “smart cities.” For these smart cities, the focus is no longer on just connectivity and being a data-led organization; it is also about accurate insights and intelligence. However, this embrace of technology has led to the expansion of ETG’s threat landscape, immeasurably increasing the organization’s vulnerability.
Now, the primary question ETG has had to grapple with is: “How do you securely network a ‘smart city’ that must be rebuilt multiple times each year in different locations around the world and with no more than a few days of annual downtime?”
Developing the Human Firewall
While board-level buy-in and top-down engagement are critical aspects of any cybersecurity strategy, Michael believes their bottom-up awareness campaigns are key to successfully protecting ETG’s tournaments and stressing that ETG staff members are not “the weakest link,” as some security specialists say, but rather valued as part of the organization’s first line of defense.
Michael divides technological transitions into three stages. The first stage involves deploying technology, which can be done quickly. The second stage involves implementing the new process, which may take a little longer to think through, implement, and embed. The third stage involves changing the culture, which takes much longer because the mindsets that need to be altered are deeply rooted in the organization.
Getting the Board on Board
If organizations want to build a cyber-aware workforce, they must start by acknowledging the people piece of it. It has to start at the top. Organizations need to use meaningful language with the board and executives to get leadership behind efforts to support this human firewall concept. When terms such as cyber terrorism and cyberthreats come up, leadership needs to know that three areas of the organization can be significantly impacted: reputation, financials, and staff morale and motivation. These are key topics that interest any board of directors or leadership team. By changing the narrative and putting it into a language that they truly understand and that truly resonates with them helps make cybersecurity a board-level agenda item for discussion and drives the cyber protection mindset from the top.
Business leaders, technical developers, and everyone must always consider security. When an organization reaches this point, it has successfully changed its mindset. Security is a behavior and should never be an afterthought.
Engaging Everyone in Training
Some organizations opt to develop security awareness training in-house. But for those who don’t have the resources to do so, high-quality SaaS-based offerings are available that deliver a comprehensive and timely curriculum, such as the Fortinet Security Awareness and Training service. Fortinet’s offering includes a dashboard featuring campaign and user activity with out-of-the-box reporting, an intuitive administrative interface, and the ability to customize or co-brand the service.