Security 500 conference     

 Don’t miss the networking event of the year for security executives!
Register today for the Security 500 Conference.

Cyber Security News / Trends Column / Columns

Push Ahead of Cyber Security Legislation

The rise in global security incidents, diminished budgets and downsized security programs have left organizations to deal with security risks that are neither well-understood nor consistently addressed. Executives around the world feel confident that they’re winning the high-stakes game of information security despite the growing number of obstacles, according to The Global State of Information Security® Survey2013 by PwC U.S. in conjunction with CIO and CSO magazines.

“Security models of the past decade are no longer effective. Today’s rapidly evolving threat landscape represents a danger that shows no signs of diminishing, and businesses can no longer afford to play a game of chance,” says Mark Lobel, a principal in PwC’s Advisory practice. “Companies that want to be information security leaders should prepare to play a new game – one that requires advanced skills and strategy to win against emerging threats.”

If you thought corporate and physical security were challenging enough, they have nothing on information security in the age of cyber crime. The above quoted study of more than 12,000 business and technology executives points to “the lack of information security leadership as a serious obstacle to an effective information security strategy in their organizations.” And on its heels appears to be a relatively toothless Executive Order to improve the digital defense of critical infrastructure, voluntarily.

A short history: in November 2012, the Senate failed to pass legislation mandating cyber security to prevent against a “Cyber Pearl Harbor” as Secretary of Defense Leon Panetta noted during a speech in October 2012, discussing U.S. critical infrastructure. The Senate killed the legislation in large part due to U.S. Chamber of Commerce opposition to the voluntary standards, viewing them as a back door to regulation and one that would quickly fall out of date with evolving threats.

That prompted the White House to move ahead with an Executive Order (EO 13587). However, most critical infrastructure is privately owned, limiting the Executive Order’s impact because it can only ask for voluntary participation among most of the targeted power plants and water systems. Further, it excludes commercial products from being ‘cyber security compliant’ (undefined) and leaves it to the individual government agencies to determine if changes to procurement procedures are necessary. There is also discussion of creating incentives for vendors to be ‘cyber compliant’ or awarding preferential status to those that are compliant. 

Further, a key sticking point in the Senate legislation was the information sharing among government and private sector organizations. While the legislation encouraged government and companies to share information about cyber threats, the Obama Administration promised to veto legislation that did not safeguard the privacy of that shared consumer data. So, while information sharing has been identified as a core element of cyber defense, it will not happen without protections for those doing the sharing.

Well, if you have read this far, you have the sense of all the things the Executive Order does not do. So, what does it do?

It does outline orders for certain agencies to take a proactive role. At the core, NIST will be charged with developing a cyber security framework. And DHS will produce unclassified reports on specific, targeted threats (similar to OSAC’s information sharing policy). And a system for tracking and reporting cyber security incidents would be developed on a multi-agency level. And maybe the most important outcome is the recognition of the problem and getting leaders across silos to discuss threats, vulnerabilities and mitigation strategies. And from signing to publication at the government agency level, the goal is 605 days.

In summary, do not sit tight waiting for this Executive Order to be signed. Rather, corral your peers across the enterprise and lead the charge because the folks on the other side of your firewall are charging ahead too. With only 21 percent of Security 500 CSOs managing Cyber Security for their enterprises, this is an outstanding career opportunity for leaders with security subject matter expertise to lead. After all, nature abhors a vacuum.

This article was previously published in the print magazine as "Nature Abhors a Vacuum."


Executive Order 13587 Near Term Actions

The President’s Cyberspace Policy Review identifies 10 near- term actions to support our cybersecurity strategy:

1. Appoint a cybersecurity policy official responsible for coordinating the Nation’s cybersecurity policies and activities. 

2. Prepare for the President’s approval an updated national strategy to secure the information and communications infrastructure.

3. Designate cybersecurity as one of the President’s key management priorities and establish performance metrics.

4. Designate a privacy and civil liberties official to the NSC cybersecurity directorate.

5. Conduct interagency-cleared legal analyses of priority cybersecurity-related issues.

6. Initiate a national awareness and education campaign to promote cybersecurity.

7. Develop an international cybersecurity policy framework and strengthen our international partnerships.

8. Prepare a cybersecurity incident response plan and initiate a dialog to enhance public-private partnerships.

9. Develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience and trustworthiness of digital infrastructure.

10. Build a cybersecurity-based identity management vision and strategy, leveraging privacy-enhancing technologies for the Nation.

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Mark McCourt

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security Magazine 2014 September cover

2014 October

Security takes a look at safety and preparedness for the harshest of weather phenomena in this October 2014 edition of the magazine. Also, we investigate supply chain security and the many benefits of PSIM. 

Table Of Contents Subscribe

Travel & the Ebola Risk

Are you and your enterprise restricting travel due to Ebola risks?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.