Principles for Better Cybersecurity Outcomes
Since 2004, October has been designated National Cyber Security Awareness Month by the National Cyber Security Alliance and the U.S. Department of Homeland Security. This year, the organizers of this important initiative have chosen a very appropriate theme: "Our Shared Responsibility." Indeed, given the immense scale and complexity of cybersecurity, every sector of the economy, public and private, must do its part to promote cybersecurity resilience.
In light of this shared responsibility, we at the Center for Audit Quality see several principles that can help guide us to experience better outcomes as we face cybersecurity challenges. We believe these principles should be embedded in the dialogue as policymakers and the private sector mobilize together and individually on this difficult issue.
Understand the Impact
We're all in this together, yet it's easy to lose sight of this simple notion in the aftermath of a cybersecurity incident. When a breach has been discovered and disclosed, there has been a tendency to see some parties—customers or shareholders, for example—as the only victims.
The reality of the complex world of cyber preparedness is that even in the very best companies with the very best protections, there will be breaches. The bad actors are just that smart. Therefore, we must change the dialogue around cyber incidents to recognize that, in many situations, companies that get breached are victims as well.
Recognize the Power of a Market-Based Model for Cybersecurity
Cybersecurity is an issue with national security implications. As we grapple with the issue, we should recognize that our dynamic free-market system is a potent weapon in this fight. Improvements driven by the private sector significantly increase the opportunity to produce meaningful and timely improvements in current practices.
The power of market-based thinking is evident in a new publication, Social Contract 3.0: Implementing a Market-Based Model for Cybersecurity, published last month by the Internet Security Alliance. The book provides wide-ranging perspectives and recommendations from numerous industries and professions across the private sector.
Of course, as National Cyber Security Awareness Month itself demonstrates, governments have played, and will continue to play, a vital role in cybersecurity. Yet, much like countering the tendency to blame the entities that are comprised, we should be wary of rigid or sweeping government mandates that might work to stifle the private sector's equally important role.
Reward Good-Faith Actions
We need to focus on positive reinforcement for good actors. Without such incentives, companies may perceive the regulatory and legal downside of a security breach as being no different whether they make a good faith effort to protect, detect, and remediate for such exposures or not. They may opt for doing less and hoping that nothing bad happens—and that would be a bad outcome for everyone.
Addressing these and other challenges will not be easy, but fortunately cybersecurity is an area where awareness and initiatives are steadily rising. I urge you to make your voice heard during National Cyber Security Awareness Month. Visit the effort's website for ideas on how to get involved. And, as always, I invite you to share your thoughts in the comments.
A securities lawyer, Cindy Fornelli has served as the Executive Director of the Center for Audit Quality since its establishment in 2007.
Co-Founder and Mother of Dragons at Unified Compliance
6 年You've used the term Cybersecurity outcome. But you don't define it. And it isn't defined in the NIST Cybersecurity framework. Care to add a definition?
Assistant Manager
8 年Sir, pls give me IT ACT 66 D latest Supreme Court judgement
Co-Founder and Executive Director of Technology, Ennovar Technology Solutions
8 年Agree... there are really so many levels of what i call, "Information Security" today that many times things get over looked that can bring down a company.
Information Systems Auditor (Ex-Banker)
8 年I totally agree with you when you say “Cybersecurity is an issue with national security implications” and that “governments have played, and will continue to play, a vital role in cybersecurity”, but humbly disagree with you when you say that “we should recognize that our dynamic free-market system is a potent weapon in this (cybersecurity) fight”. On the contrary, Cyber Security has assumed vicious dimensions only because Governments are hesitating to usher in sweeping changes in Internet Governance and have instead adopted a laissez-faire approach to it, with the result cybersecurity has become a multi-trillion dollar business for the private sector that is growing by leaps and bounds. Their Cyber Security Solutions have become highly complex and highly expensive over the years, yet they are found to be breachable and hence unreliable. More significantly, they have become unaffordable to small businesses and individuals . In this scenario, only governmental intervention in Internet Technology and Governance through appropriate legislations / regulations / structural reforms can guarantee a safe and secure cyber environment for the free market to flourish.
As an industry, we need to start working to make things more digestible, and less obfuscated. Before any request is serviced, two core questions and one secondary question need to be answered in the affirmative. 1)Are you who you say you are? (Authentication) 1a)What is my degree of confidence (Identity assurance) 2)Do you belong here? (Authorization) Every request. Every time. On time. Whether it's web applications, internet of things, services...whatever. Then, understanding your traffic, you can appropriately architect your decision service, your identity service, and your identity lifecycle services to be consumed by the enforcement ecosystem. We need to work to relate these complex concepts back to simpler concepts. As they say, if you can't explain something simply, you don't understand it well enough. And even though there is a lot of complexity in information security, it's not anywhere near as complex as people make it out to be.