This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.
There is an adage, old, like all adages, that goes, “April showers bring May flowers.” One might add that a more particular benefit for those suffering from allergies is they wash the pollen from the air, offering sweet respite for at least short periods. In furtherance of this line of thought, the April cybersecurity news might fall under the heading “Into each life some rain must fall.”
Industry analyst Bob Sorensen recently told us something most IT managers already know deep in their apprehensive hearts: cyber security is in a sorry state (see “Be More Afraid,” Enterprise Tech, Nov. 18, 2016). Security at many companies is somewhat marginalized, an unfavored area that lies outside core IT operations and procedures, a focal point at many companies of ineffectuality and denial that can be characterized as: Don’t just do something, sit there! Part of the problem: cyber security is purely defensive in nature. We don’t want it until we need(ed) it. It doesn’t add to the bottom line, it’s a cost center seen as hindering optimal operations. Corporate boards tell senior managers that, yes, of course cyber security is important, but don’t let it interfere with daily business. Yet everyone grasps the bottom line and reputation risks of poor security….Instead of further bemoaning this state of affairs, let’s look at the bright spots, the best-in-class cyber security practices some companies have adopted and the emerging technologies that leverage big data analytics, machine learning and quantum computing.
I’ve been remiss by not blogging earlier this year about ESG’s annual IT spending intentions research. The year 2017 continues to follow a pattern: Cybersecurity is a high business and IT priority for most organizations… Allow me to provide a bit of analysis to this data (after all, I am an industry analyst): 1. There is growing demand for cybersecurity technologies, so 2017 should be another banner year for vendor revenue, VC investment, M&A activity and IPOs. 2. Boards are getting more involved in cybersecurity, which is driving more demand for data and metrics. In other words, executives are willing to spend on cybersecurity, but they want to better understand what they get for their money. Executive reporting tools for cybersecurity will grow precipitously….
With digital threats growing more rampant across the country and from around the world, the idea of building “walls” for cyber defense and protection can seem appealing. But even in this age of hackers relentlessly penetrating our networks, in the information technology security industry, we know that walls don’t work. The truth is that surrounding yourself with impenetrable barricades is akin to sticking your head in the sand. Walls by themselves fail to tackle the root cause of threats, meaning any sense of safety created is artificial. Organizations need to have a holistic security posture that spans their internal network and devices. More importantly, they must anticipate malicious external threats. For protection, traditional IT security systems have for a long time relied on perimeter defenses, such as firewalls, intrusion detection systems and intrusion prevention systems. But that paradigm has changed, as cybercriminals have evolved and cyberattacks have increased in volume and sophistication. In 2015, there were 430 million unique pieces of malware, up 36 percent from the prior year. It’s a number only continuing to explode. Singular perimeter defenses are no longer enough.
IT Getting Defensive
Security professionals are putting pressure on themselves to secure their organization’s systems according to the findings of a new report. The 2017 Security Pressures Report from managed security specialist Trustwave surveyed over 1,600 security decision makers around the world and finds that while 53 percent of respondents report increased pressure in trying to secure their organization, that pressure is becoming more personal as 24 percent say they put the most pressure on themselves, up from 13 percent last year. The findings also show that pressure from the boardroom and from c-level executives has decreased significantly as it’s shifted to IT professionals themselves. The most feared repercussion of a cyber attack or breach is reputation damage to themselves or their company, ahead of financial damage to the company and termination of employment.
The IT community needs a total reset in the way they think about cybersecurity, according to former White House CIO Theresa Payton. “I think back ten years and I realize that we actually haven’t made a single one of your security problems go away, and you need to hold us accountable for that,” Payton said. “Name one. We have reduced risks in the security industry, name a problem we actually made go away for you,” she said. “But I’m really excited because I think we are at a turning point where we’ll have that opportunity.”Payton, who spoke at the Forcepoint Cybersecurity Leadership Forum on Tuesday, described how the government has characterized bringing breach detection times down from over 400 days to a little more than 200 as a win in cybersecurity.“I’ve got to tell you, this does not feel like winning to me,” Payton said.
I’m From the Government and I’m Here to Help
The Federal Communications Commission’s role as a driver of national cybersecurity policy, promoted by former Chairman Thomas Wheeler, was effectively scrapped last week when Congress passed a measure killing the commission’s 2016 cybersecurity and privacy rules. The move was strongly welcomed by the telecom industry and leaves another alphabet-soup agency — the Federal Trade Commission — as “the cop on the beat” when it comes to cyber. That’s a role the trade commission has long embraced, but it will take a different and perhaps more reactive approach to cybersecurity in comparison with Wheeler’s communications commission. Many telecom industry groups prefer the FTC’s enforcement approach, which is based on guiding principles for cyber best practices, to what they saw as prescriptive rules on cyber spelled out by the recently departed Wheeler team at the FCC.
Lawmakers return to Capitol Hill this week with a few cybersecurity items on the agenda for the upcoming legislative work period, while the most significant efforts in the coming months may be taking place at the White House and at the National Institute of Standards and Technology’s campus in suburban Maryland.
By Tom Davis, SDI Cyber Risk Practice
April 25, 2017