For years, law enforcement agencies have requested information from corporate America to help them fight cyber crimes. But, the private sector in turn felt that the flow of information was unidirectional. Many organizations indicated that threat intelligence was not often shared back with them.
President Obama's executive order (EO) related to cyber security opens the door for meaningful discussions between federal agencies and the private sector. While the EO specifies security measures aimed at protecting critical infrastructure – which the Department of Homeland Security (DHS) is working to define – private enterprise should capitalize on the opportunity this EO creates.
Companies can shape the future of security in the following key areas:
Critical infrastructure is a term that needs to be defined in the context of cyber security. While there are 18 sectors currently designated as critical infrastructure from a homeland security perspective, the government will now look at how to prioritize sectors through a security lens. There is an opportunity to provide input into DHS's voluntary critical infrastructure cyber security program and contribute ideas as to what incentives DHS should offer to promote the program.
DHS has been directed to make better use of public-private partnerships to increase the understanding of what kind of information would be most useful to mitigate cyber threats to the private sector. There is an opportunity to get involved to provide feedback to the government as to what information is needed to effectively defend against and respond to threats.
The Department of Commerce's National Institute of Standards and Technology (NIST) will develop a “cyber security framework” to include standards, procedures and guidelines to align business, policy and technological approaches to cyber risk. The framework will be voluntary and consensus-driven. There is an opportunity to engage with NIST to identify existing voluntary consensus standards and industry-leading practices. Consistent security standards should give companies a common roadmap to follow as a means to enhance the process of defending their networks.
Companies that do business with the federal government should note that the EO directs the Department of Defense and the General Services Administration to recommend ways to incorporate security requirements in federal procurements and contracting. There is an opportunity to follow this discussion closely given that it may have a significant impact on both supply-chain security and contracting costs.
There must be a new approach for a new world. Company leaders and boards can no longer afford to view cyber security as a technology problem. The likelihood of an attack is now an enterprise risk management issue, and an integral part of every business strategy.
There are a number of questions you should be asking now: Do I have a threat-based, asset-focused security plan? Do I know how an adversary looks at my organization? Do I have a public-private partnership (PPP) strategy? Do I know what my security strategy is protecting? Can I explain my corporate security strategy to others?
We believe that cyber threats are a clear and present danger to the global business economy. It is time for executive leaders and board members to see them for what they are—risks that could severely impact and even derail their business. The EO is intended to help reduce cyber risks by sharing threat information and security tactics between the private sector and government agencies. After all, knowledge is power.
David Burg is a partner, and co-author Laurie Schive a director, with PwC's U.S. cyber security consulting practice.