Organizations must demand the security of their data and software creators must be held responsible for securing their products, many experts agreed speaking at Pace University's CyberStorm: Cybersecurity in Business Conference.
The conference featured both private and public sector officials with the goal of discussing the current state of cybersecurity and to find solutions to upcoming and existing threats.
Currently no one is held responsible for insecure software except the customer, Nicholas Donofrio, IBM fellow emeritus and retired executive vice president of innovation and technology, said during the conference Oct. 6 in Pleasantville, N.Y.
Donofrio said companies should give consumers more control of their data concerning how it is kept and who it is shared with and that they should request the consumer's permission every time data changes hands.
“Every time there is a huge bump in the tech curve we there's another chance to do it right,” Donofrio said, adding that companies should rewrite their privacy agreements and their data security methods with more accountability to the consumer.
Panelists agreed that chief information security officers (CISOs) and other executives should help foster a culture of cybersecurity awareness through investment in effective training across the company.
“Training programs should be shorter smarter and based on simulations," said Venkata Ramdas Avasarala, head of North American cybersecurity sales at Tata Consultancy Services.
Avasarala said companies should make cybersecurity more holistic throughout and not just an issue of the technological savvy. He added that companies should focus on the human and psychological elements of security to help employees relate and make sure training contributes to building a culture of security.
Furthermore, experts agreed that CISOs should do their part in educating the board using relatable examples of how cyber vulnerabilities can have financial consequences if ignored. At the same time, companies should avoid putting CISO in conflict with other executives
“CISOs, if your CIO is a putz, leave!” said Marene Allison, vice president and CISO at Johnson & Johnson. There is only so much that an individual or IT department can do regardless of how many updates, patches, and systems are used to protect sensitive information, Allison said, explaining that if the entire IT department isn't on the same page it will cause problems down the road.
Companies must invest in updating their “human OS” in addition to staying on top of their software patches with some experts going as far as saying that regulation is needed to incentivize companies to take up more secure practices. Other less invasive solutions for government intervention were offered as well such as more participation in cross sector threat sharing programs similar to the Global Cyber Alliance.
Companies should look for more ways to collaborate with governments agencies, foreign and domestic, to share threat intelligence not only with other firms and competitors but also across industries such as banks sharing data with hospitals, or education sector sharing threats with infrastructure, Manhattan District Attorney Cy Vance said during a keynote address.
“Cyber should bring us together,” Vance said, adding that companies should grow past the fear of appearing weak or vulnerable by sharing basic threat intelligence. In most cases, he said, companies share a common enemy.
“If I don't protect my neighbor's house then my house becomes more vulnerable,” Vance contended. Others called for the federal government to be more transparent with sharing threat data and helping to foster programs that can help mid-level and smaller companies protect consumer information.
Our government was deliberately set up to not inhibit innovation and to not interfere with the actions of the private sector and while that's part of what makes or country great, [but] with cyber it is different, said Pine River Capital Managing Director, Chief Information Security Officer and Head of Technology Infrastructure Josh Stabiner.
He said consumers should hold companies accountable for consumer data at the ballot box and supporting change through policy. Panelists also discussed solutions for dealing with the global threat landscape on a local level as well as how educational institutions can help train cybersecurity best practices into non-cyber fields to help people understand the importance of securing information.
Allison called for more institutions to teach CISO skills such as better communication and leadership while other panelists called for companies to look for more effective ways to show how cyber threats can hurt a companies bottom line.