President Obama and leaders in government and industry discussed cybersecurity and consumer protection at Stanford University last week. As part of the summit, President Obama signed a new Executive Order related to cybersecurity. The President’s actions, combined with recent legislative success in the last session of Congress, demonstrate the criticality of taking action now to combat the malicious activity that is occurring and bring some support to the consumer.
The executive order and the legislation previously passed by Congress is a great start. But in order for the actions taken to increase information sharing among the public and private sectors to really be effective, additional legislation is necessary. We need to see liability relief along with codified roles and responsibilities for the public and private sector regarding information sharing. In addition, the President has called for a national breach process and updated criminal laws to support today’s security needs and the future environment. We support that. With this approach, information sharing can, in fact, truly become actionable and allow the good guys to operate inside the bad guy’s decision cycle.
In addition, last week’s summit highlighted the importance of the Cybersecurity Framework (CSF) developed by the private sector while working with the government. The CSF for the first time provides all a common taxonomy and approach to understanding an organization’s risk (business or otherwise) and determine that organization’s ability to mitigate and prioritize those risks with cybersecurity capabilities. Many in the private sector have started implementing the CSF. Many, however, are confused or overwhelmed and have not yet started. RSA can help.
The CSF is a great model for organizations to implement. And for those mature organizations that have implemented a framework, it provides an easy way to communicate status and performance to those who are interested in cybersecurity posture – such as corporate leaders, board members and even regulators.
In the wake of the serious breaches so far this year, a common question asked is: “what company is next?” All are at risk – but particularly those who don’t know where they stand. As I’ve mentioned, I think the CSF is the best place to start. It truly is a business oriented approach to understanding risk and building a roadmap to address those risks with an operational cybersecurity posture.
So, if you’re looking to get started, try the Cybersecurity Maturity Assessment that RSA has developed and offers at no cost. Alternatively, businesses can download and review the current framework directly from NIST.
As we heard from President Obama, we face serious threats. Our national leaders of both parties are committed to continuing to address this threat as our way of life is becoming ever more connected to and dependent on the security of our IT networks. For our part, businesses around the nation need to join America’s elected officials in the common purpose of cybersecurity: becoming aggressive defenders of our collective right to digital security.