ComputerWeekly.com

https://www.computerweekly.com/opinion/When-leaders-ignore-cybersecurity-rules-the-whole-system-weakens

When leaders ignore cyber security rules, the whole system weakens

By Raihan Islam

Weeks after the “Signalgate” scandal broke, the problems exposed by White House officials using non-government encrypted messaging services are much larger than one app or one official. It is critical for leaders of any operation, public or private sector, to apply best security practices continuously.

No public statement has been made about improving security protocols. Instead, the public can see that leaders will not be held accountable.

A continuous series of mistakes means no process

US national security advisor Mike Waltz made the first mistake of adding the journalist who did not need to know what was being discussed in the unsecured Signal chat. 

US secretary of defense Pete Hegseth made the second mistake of posting classified information without obtaining verification that the journalist was authorised and had a need to know the classified information. 

Everyone else in the chat, including Cabinet-level officials such as vice-president JD Vance, made the third and continued mistake of doing nothing until after the initial story broke.

The US and its allies may just be lucky that their adversaries were not able to compromise the US military plans that week, but what was compromised was the trust American allies have with their national security counterparts.

This isn’t some random political embarrassment. It’s a case study in how security collapses when leadership treats basic rules as optional. If national security leaders won’t model discipline, how can anyone else in the system be expected to?

Processes and tools are not enough

As a Certified Information Systems Security Professional (CISSP) and COO supporting information security for multiple businesses, I’ve seen firsthand that encryption and published policies aren’t enough.

The Waltz-Hegseth leak, which is an affront to the entire security profession, didn't happen because of poor technology. Signal is excellent when it is used properly. Secure communications platforms, like Sensitive Compartmented Information Facilities (SCIFs), already exist inside the government.

So, how did this scandal happen? Secure practices rely on culture. And culture is set at the top. Waltz, Hegseth and others prioritised convenience over responsibility. They believed the rules were there for other people.

The same risks exist in the private sector. In finance, healthcare, and defense industries, one executive ignoring protocol can compromise an entire organisation, especially if others believe protocol is optional.

Continuous security culture is an imperative

The lessons from the Signal scandal are clear:

• Use secure, authorised tools that go through continuous assessments conducted by trusted third-party security specialists.
• Never share classified information outside vetted networks, and ensure only those with a need to know are able to see such information.
• Escalate violations and apply breach consequences equally with no exceptions for title or rank.
• Work with and support leadership to implement security best practices across all operations, not only obvious revenue drivers.
• Train leaders and contributors alike to prioritise cyber security and refresh learnings continuously, not treat it as compliance paperwork.

Failures at the top don’t stay isolated. They erode standards across institutions and signal to adversaries that they can pursue organisations lacking the maturity required to deal with sensitive information. We’re entering a new paradigm where the threats will become fully automated and, using artificial intelligence (AI), able to leverage social engineering attacks at a massive scale with little effort.

Security starts with leadership, not technology. When rules become optional for those in charge, the system is already compromised.