C-suites and boards of directors have, up until this point, remained focused on executing minimally sufficient security measures that kept the bad guys out and the good guys safe. With last month's announcement of the devastating Equifax breach affecting nearly every household in the country and thrusting the credit reporting industry into chaos, it's time for the private sector to admit it is no longer “cheaper” to wait out a breach instead of investing in proper security controls throughout their organization.
In May 2017, President Trump issued an Executive Order, “Strengthening the cybersecurity of federal networks and critical infrastructuture.”
The order defined the steps that all federal agencies are to take in protecting critical data and capabilities. To accomplish that, all agencies are to use the National Institutes of Science and Technology Cyber Security Framework (NIST CSF) to assess the resiliency and maturity of their networks, and then report the gaps and remediation plans to the Office of the Management and Budget (OMB). Furthermore, the Order required the National Infrastructure Advisory Council (NIAC) to prepare a report to the President on the current status of the national infrastructure of the non-government for cybersecurity.
This report could be considered the equivalent of a report commissioned by a board of directors or CEO to an outside firm to review the risks and readiness of a company to withstand threats. There are three important findings from the NIAC report that CEOs should be aware of as the risk landscape continues to evolve and threaten the economic viability of businesses in all sectors.1. The NIAC suggests the current state of cyber risk in the U.S. is equivalent to pre-9/11 conditions. As we observe 9/11 memorials this month, this statement is alarming when you imagine the gravity of such a comparison. After last week's Equifax breach, for which we have yet to see the extent of its impacts, it's hard to argue that analysis. At the very core of this is a conclusion that every CEO of every company must consider; the risk of a cyber event involving their company and the associated impacts on the organization and those who come in contact with the company. If Equifax teaches us one thing, it's that it is no longer “cheaper” to roll the dice and hope your organization is not the one that gets breached than it is to invest the millions of dollars it may take to properly secure your infrastructure and assets. It is especially important to remember that most of the affected parties in the Equifax breach have no relationship to the company – a humbling recognition for business leaders in denial of the power of the customer data their companies wield.
2. Of the issues of great concern coming out of the report is the historical reluctance of companies and their CEO's to participate in information and threat sharing groups with the government and each other. The risk of divulging trade secret information versus the importance of data liability protection creates a conundrum for CEOs who might otherwise work closely to thwart cyber attacks. Think about the privacy debates raised when the government set forth to gain access to the Apple iPhone involved in the Southern California terror attack last year. Those concerns on both sides of the aisle need to be properly addressed, but the fact of the matter is that more involvement from Congress will be required to solve some of these issues.
3. The NIAC recommended the broad application of the NIST CSF by all businesses to assure the most robust commercial protections. Noting commercial enterprises are the nation's first line of defense to cyber threats, the NIAC makes it clear that the private sector has work to do. To further that adoption, the NIAC recommends the Executive Branch and Congress grant tax advantages, regulatory relief and direct support to entice the private sector to embrace NIST CSF gold standard, and to improve the defenses of their businesses in such a way that protections for the economy are strengthened from all corners of pubic and private operations.
The NIAC is persuasive that the nation's economy and infrastructure are at risk unless private enterprise substantially improves its cyber defenses, company by company. What further evidence of the risk could possibly be needed? Equifax, Sony, Target, HBO, the electoral system and more, on top of daily hacks of personal consumer data like passwords from successful phishing attempts. The NIAC report is the most transparent wake-up call that the risk is high and government and private enterprise need to start playing nicely.The call to action? C-suites and boards of directors – heed these strong recommendations and do the right thing. Invest in security, because waiting to see if a breach happens isn't worth the risk anymore. Without private enterprise support, the country risks remaining on the cusp of a nationally devastating cyber attack.