Posted: October 19, 2009
Where’s that cyber security czar, anyway?
And will the position actually have any real power?Scott Walker
In May, the Obama administration announced its plans to appoint the nation's first cyber security czar.
"America's economic prosperity in the 21st century will depend on cyber security," President Obama said. He emphasized that the "networks and computers we depend on every day will be treated as they should be: as a strategic national asset."
At the time, the information security community enthusiastically greeted the announcement as a critical and overdue step in prioritizing information security within the national security framework. Five months later, however, that initial excitement has diminished as the administration has yet to appoint someone to fill the post.
Furthermore, many observers have grown skeptical that even if an appointment is made, the czar will lack authority to implement sufficient measures to truly improve the nation's security posture.
In acknowledging the existence of critical security concerns and yet failing to take action, the federal government is mirroring a phenomenon taking place throughout corporate America. While information security is identified as a key IT concern, companies often struggle to translate that recognition into a clear and executable strategy.
Fortunately, while addressing national cyber defense may seem like an overwhelming challenge, the scope of securing a corporate environment is not as daunting. While it requires effort and resources, the path to addressing an organization's information security risk is fairly straightforward.
As the saying goes, a journey of a thousand miles begins with the first step, and for information security, the first step is getting a clear picture of the risks. This involves a thorough analysis of the drivers of risk, which can be broken down into four main categories:
1. Loss of Property - the protection of entrusted data.
Companies collect various types of data and information that could be of value to an attacker and is certainly of value to their owner(s). When such data is lost, the impact can be internal, as in the loss of intellectual capital, or external, with the loss of the personal data of either employees or customers.
2. Loss of Reputation - the loss of competitive advantage.
An organization's ability to successfully compete in the marketplace is tied to the trust of its customers. Breaches resulting in the loss of critical data are increasingly publicized due to the quantity of data taken and the immediate financial impact to victims. Such publicity can be devastating to a company's reputation, and the resulting loss of public faith can hurt competitive advantage and decrease profits.
3. Loss of Productivity - the loss of ability to work.
When system vulnerabilities are compromised by attempted data theft, targeted system attacks, or simple mischief, the compromised systems become unavailable for use. As a result, employees and customers can't use the systems as intended, which can result in a loss of both productivity dollars and potential client/customer goodwill.
4. Legal and Regulatory Requirements - the cost of failing to achieve compliance.
Legal and regulatory requirements are present for many industries. Compliance with these standards is rarely voluntary, and failure to comply can bring about any number of penalties, including possible incarceration, levied fines and loss of market share.
Taken together and realistically assessed, these risks can be eye opening to senior management. By identifying the drivers of risk and the impact they can have on an organization, a risk manager can obtain a charter for a comprehensive security program.
Once a risk assessment is completed, the next step is to conduct a gap analysis to ascertain where the company is exposed or lacks sufficient controls. From this, organizations can develop a framework and policies that serve as the foundation of the program, which should be audited, remediated for deficiencies and finally, automated.
The good news is that while the Obama administration struggles to make progress on its security agenda, corporate security officers and risk managers do not face the same obstacles. While the path to a secure information environment may at times appear to be steep, it does exist. And, the best way to start the ascent is to thoroughly understand the risks posed by standing still.
Accuvant Co-founder Scott Walker is Vice President of Strategic Planning, responsible for overseeing the company's strategic initiatives including acquisitions and division spin-offs. Walker's leadership has resulted in the development of Accuvant's Security Coverage Model and establishment of Accuvant's three practice areas of Accuvant Labs, Risk and Compliance Management, and Technology Solutions to align Accuvant's offerings and specialized resources to client needs.