This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.
The big item for this coming week will be the deliverables from the RSA Conference in San Francisco — tens of thousands of people will flock to the Moscone Center (28,000 attended last year) April 20-24 to attend the largest cybersecurity conference. If you can’t be there, Information Security Media Group offers live streaming video feed of program security leaders. And for those who simply want the highlights in 140 characters or less, follow @RSAConference. The theme this year is to “challenge today’s security thinking.” In line with that theme, do you know all your company’s device entry points for hackers? Few, if any do. This Forbes article may interest you. A father-son team has found a way to secure thousands of devices at once. Visa, Amazon, Best Buy, the U.S. Department of Defense and Nasdaq are users.
Surfacing last week, The Norse Corporation and AEI released a report “The Growing Cyber Threat from Iran: The Initial Report of Project Pistachio Harvest” detailing Iran’s cyber activities. It concludes that they have invested heavily in their cyber attack capabilities and have revved up both the frequency and sophistication of their attacks. Clearly a concerning development executives – especially in the financial services and energy sectors — need to keep a close eye on. I first testified before Congress on this topic in 2012, and again in 2013.
Congress will consider two cybersecurity bills this week, “Protecting Cyber Networks Act” and the “National Cybersecurity Protection Advancement Act of 2015.” Both deal with the sticky area of data sharing and liability protection for sharing information on cybersecurity threats. In our cyber blog, a colleague, Kevin Carroll of Quinn Emanuel, and I outlined pros and cons CEOs are considering as this type of cyber legislation begins to take on more actionable focus. The Hill presented another angle — a coalition of security experts urging Congress to reject the legislation outright.
Bringing the conversation down to the personal, Rhett Hernandez, SDI cyber risk management practice and former commander, Army Cyber Command, in remarks last week to board leaders, U.S. and global cyber experts, C-suite executives, and cyber security law enforcement leaders, leaned in to pinpoint the biggest threat to cybersecurity in any company – its own people. Need to change the culture; people pose an unacceptable level of threat to networks said Hernandez. That’s echoed in Help Net Security’s article on indifference in the workplace. Daniel Velez, senior manager for insider threat operations at Raytheon Cyber Products says in DARKReading that it’s user behavior, not data restrictions that provides a stronger approach to breach threats and reputation damage.
Choosing the right hats to manage a crisis when it arrives is examined in CSO — companies may be better served financially by outsourcing cyber crisis management and should have partners in place way before the crisis. Finally, our infrastructure security community just got a new leader … North American Electric Reliability Corporation just tapped Marcus Sachs to lead NERC’s efforts to protect the electric sector. Sachs will step into the roles of senior vice president and chief security officer. While the term “critical infrastructure” is thrown around frequently these days, the electric sector is unequivocally at or near the top of the list. If the grid goes down, so does everything else. It’s good to see NERC is bringing in a pro.
——————–
Frank Cilluffo, SDI Cyber Risk Practice
SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.
You can view previous blog posts on cyber risk management here.
April 21, 2015