Taking responsibility for national cybersecurity

Taking responsibility for national cybersecurity

By Christina Torode

SearchCIO.com.au

Maybe I was caught up in the southern hospitality, but there was a sense of kumbaya at the Information Systems Security Association (ISSA) conference in Nashville this month, and not in the sitting-around-a-campfire sense.

The theme of this year's ISSA event was "Harmony in Cybersecurity: Motivate, Innovate, Integrate," and contrary to many IT gatherings I go to, attendees and speakers were eager to help each other combat some serious threats. In many cases, speakers offered step-by-step how-tos on everything from building a security roadmap the business will fund -- yes, fund -- to building a national cybersecurity program that taps the threat knowledge of the public and private sectors to keep us (and our data) safe.

Coopetition, as some call it, among and between private and public entities -- that is, the sharing of mistakes and resolutions for the good of the many -- is a tough sell.

During her ISSA keynote, The Right Honorable Baroness Pauline Neville-Jones, U.K. special government representative to business for cybersecurity, outlined the steps already underway between the U.K. government and private sector companies to make this partnership happen. Largely focused on education for now, the U.K. program aims to move security awareness from the "techies to the boardroom."

"The government needs to form relationships with the private sector because it's the private sector that owns most of the wealth creation in the economy, and they are the operators of the critical national infrastructure," she said in an interview with SearchCIO.

Security threats and the risks they pose to our national economy and critical infrastructure that keeps our country running is front and center in such sectors as banking and telecom, but outside of these sectors, awareness is alarmingly low.

"Pharma is an example of a sector with extraordinarily valuable IP which is being stolen; while this sector's awareness position is far too low," Neville-Jones said.

Only you can prevent national cybersecurity threats

So whose responsibility is it to create a community of security threat awareness and guidance for battling those threats? Not our federal government alone, according to Neville-Jones, given its size and tendency to be siloed. Sure, the feds should take a lead in policy formation (with input from corporations), but Neville-Jones recommends starting at the state level, given that state agencies have the infrastructure procurement power and can enforce security guidelines with suppliers and partners.

At a corporate level, it is not the responsibility of the security department, but ultimately the CEO and the board of directors. "It isn't the technology, it isn't the security department or the CISO, it's much more. Understand it has to be the top person's issue, not the issue of those down in the weeds. Get that level of awareness established and [a national program] will start to get somewhere," she said.

More on cybersecurity strategies

Former Whitehouse CIO: tie security to corporate objectives

Using cybersecurity controls to protect data

Cybersecurity and the CIO's role

Another point? Push the trade groups in your given industry to drive security standards forward.

It won't be easy.Coopetition as some call it, among and between private and public entities -- that is, the sharing of mistakes and resolutions for the greater good -- is a tough sell. In today's hypercompetitive business environment, the other guy's failure, let's face it, is often seen more as an opportunity to exploit than to help fix. Security breaches cause stocks to plummet and reputations to be sullied. Companies that know how to root out threats and squash them have an advantage over those that cannot, so why help someone gain the advantage you have?

Maybe future generations will take the responsibility out of the hands of the government and corporate CEOs. The current and coming generations live in a culture of sharing (in some cases, oversharing) in public forums; maybe it will become a given that knowledge is shared on security forums as often as helpful how-tos are shared on forums like Pinterest.

After all, "culture is often a lot more powerful than law," Glenn Harlan Reynolds, Beauchamp Brogan distinguished professor of law at the University of Tennessee, explained in his ISSA keynote. Reynolds was talking about how information leakers or whistleblowers are not always bad for business or the government. If we live in a culture that "doesn't beat down those that report behavior that is unethical or pose a security threat, our fight against security threats as a society will be stronger," he said. If only.

30 Oct 2013