U.S. Senators John Cornyn (R-TX), Patrick Leahy (D-VT), and Ted Cruz (R-TX) have introduced the National Cybersecurity Preparedness Consortium Act to authorize the U.S. Department of Homeland Security to work with the National Cybersecurity Preparedness Consortium (NCPC) to help prepare for and respond to cybersecurity risks at the national, state, and local levels.
It’s not that fixing Critical and High-Severity vulnerabilities is the problem; it’s that the Medium and Low severity vulnerabilities can pose significant risks as well. For any given vulnerability, we need to distinguish between its severity and the risk that results from it being present on a particular system on our network.
Even brick and mortar companies are increasingly leveraging the internet and cloud services to expand their business. As traditional business models have changed to incorporate these resources, the security risks presented have evolved as well. In today’s world of digital business, the security risks faced by the majority of companies have largely shifted into the cyber realm.
Being adequately prepared to respond to a data breach is an ever-changing game – new threats are emerging, new regulations are being put into place and companies must regularly re-evaluate their response plans to ensure they are applicable to today’s threat landscape. Unfortunately, many companies are not reviewing and updating their plans frequently enough – in fact, only 25 percent of companies say they update their response plans once or twice a year. Not to mention that no matter how well prepared and updated a company’s plan is, an actual live breach response can present unforeseen challenges that cause companies to stumble.
Many organizations protect their cyber infrastructure by looking inward, focusing on their own networks and systems. They dedicate themselves to reducing the attack surface, assessing their vulnerabilities, and conducting system patching – all to continuously monitor their own networks.
When looking at the cyber technology market over the past 15 years, it is evident that the catalyst for cyber evolution was Y2K. Prior to the Y2K frenzy, “cybersecurity” was masked in the systems engineering function, and external threats consisted of hackers looking to leverage free computing capabilities with very little focus on information/data access or network destruction.
From an executive-level perspective, the greatest shift in cybersecurity relates to the focus and the responsibility – moving from strictly an “IT issue” to one of a business function. Look no further than the Target breach and the subsequent resignations of the company’s CEO and CIO to see how cybersecurity has escalated to the C-suite. This was unprecedented 15 years ago, when the primary cybersecurity role of IT was information assurance. So why has the philosophy changed?
Our August issue cover story features Steve Baker, CSO at State Street Corporation. Also in August, how did a Guidewell Security team member save a life? And learn how digital technology and IoT devices can combat both physical and cyberattacks.