A Byte of Prevention…
Good cybersecurity does not come cheap, but the costs associated with a cyber attack are far greater. So why are companies still reluctant to invest in their own cyber protection? In an interview featured in Help Net Security, Johnathan Reiber helps to explain how CISOs can convince their boards to properly invest in cybersecurity.
Who is Johnathan Reiber?
Johnathan Reiber is the former Chief Strategy Officer for the Pentagon, and is currently the VP of Cybersecurity Strategy and Policy at AttackIQ, a security optimization platform
The Importance of Cybersecurity Investment in a Geopolitical Context
Reiber explains that with recent international crises, cyber-attacks have become both a matter of national security and corporate concern. As a former government official, Reiber explains that the prospect of a private sector organization being the focus of a politically motivated cyber threat due to sensitive data it possesses is a distinct possibility, and CISOs should take that under consideration when imploring their boards to invest in cybersecurity.
How CISOs Can Convince Their Companies to Protect Their Sensitive Data
The challenge of explaining the intricacies of cybersecurity to non-technical members of their board is a considerable challenge for CISOs, but it is a crucial step in ensuring an organization puts the resources into a proper cybersecurity framework. Reiber argues that the best way to do this is to present it as a cost/benefit analysis, highlighting that the cost of maintaining security measures pales in comparison to the roughly $4 million USD that organizations stand to lose from the average data breach. Having cybersecurity in place to prevent (or at the very least, mitigate) such breaches can save organizations a lot of money, and Reiber says that balancing this approach with an appropriate cyber insurance plan is the best way to make sure an organization's cybersecurity is both proactive and reactive.
Coded into Law: The Complications Surrounding New Privacy Legislation
Government legislation regarding data has often been out of step with how fast technology progresses, and how industry professionals recommend organizations handle their consumer data, but a recent push towards passing a sweeping privacy law in the United States may be a welcome step in having a government framework for organization protect and share data. However, complications have arisen regarding the implications of such a bill, and how it would affect the civil liberties of citizens and their data rights.
Recently, the House Energy and Commerce Committee voted to move forward on the American Data Privacy Protection Act (ADPPA), a bill that has strong bipartisan support and, if enacted, would be the US's first comprehensive privacy legislation.
The American Data Privacy Protection Act
The ADPPA, which is headed to the House floor, aims to "provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaning enforcement." Among its many stipulations, it would introduce a uniform legal standard for data security, and would require organizations to disclose how they share customer data, and who they share this data with.
Benefits of the ADPPA
Some security professionals have seen the potential passing of the ADPPA as a landmark in data legislation, one that will raise the tide of private sector accountability in data management. Writing for TeachPrivacy, Daniel Solove gives the Act a B+, stating he is encouraged by the ADPPA's "duty of loyalty" in ensuring an organization does not infringe on its customers' privacy rights. While he maintains that the Act is a starting point and not the end of data legislation, Solove believes it "stands up fairly well alongside other comprehensive privacy laws."
Not everyone is a fan of the ADPPA, with some saying that a loophole in the Act that allows for governmental bodies to access private data is a dangerous slippery slope. Representative Anna Eshoo from California says that in the wake of abortion rights being rolled back across America, law enforcement could use the ADPPA to access Internet search and application data to prosecute women who may be considering abortion in states where this is now illegal. Legal entities like the ACLU also have problems with the vague wording regarding the Act's exemption for 'de-identified' data, which is seen as anonymous and outside the realm of protection but could be another loophole in which sensitive information is revealed.
Arguments for and against the bill will likely grow louder as it inches closer to becoming US legislation, but a governmental framework for data protection, even if it is flawed, sets an important legal precedent for organizations to secure their sensitive data.
Hackronyms: How the Language of Corporate Governance Can Aid Cybersecurity
While cybersecurity-related legislation is gaining traction, many organizations are in the position of self-regulation, and face the challenge of how to operate ethically in regard to cybersecurity concerns without comprehensive governmental guidance. Corporate governance is a vital tool for ensuring an organization is on the path to achieving its goals whilst also remaining accountable to its investors and customers, which is especially important in matters of cybersecurity. While corporate governance is a large, potentially unwieldy subject, an article in Tripwire shows how helpful acronyms like GRC (governance, risk, and compliance) or ESG (environmental, social and governance) help center these concepts into manageable, actionable frameworks.
What is GRC?
GRC is an established framework of principles and recommendations for corporate conduct, defined by OCEG as the "integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity." Widely implemented since 2007, it has been a pathway for organizations to achieve high standards of corporate governance.
What is ESG?
ESG is an investment framework that includes an organization's effect on the environment and other social concerns in evaluating whether they are worthy of investment. It is essentially a risk indicator that measures how sustainable an organization's success will be while factoring in these concerns, and whether risks associated with these concerns can be mitigated.
Utilizing Both Acronyms for Cybersecurity
Cybersecurity is an area of concern that speaks to both the environmental and social factors of ESG. With critical infrastructure as diverse as water treatment facilities to power grids relying on cybersecurity to protect against threat actors, cybersecurity becomes a crucial factor in ESG evaluations. This is where GRC can be helpful in making sure an organization's cybersecurity measures up to ESG considerations. Through GRC compliance programs and mechanisms for accountable, risk-mitigating conduct, organizations will be able to make their cybersecurity concerns at an acceptable, ESG-friendly level, boosting investor confidence and creating new pathways for growth. These frameworks allow companies to manage risks, be accountable to customers, and open themselves up for further investment.