[BreachExchange] What More Does It Take to Make Cyber Security a Top Priority?

[Audrey McNeil]

http://www.securityweek.com/what-more-does-it-take-make-
cyber-security-top-priority

It has been yet another busy month in the world of cyber security news.
What does it mean when breaches reach private sector and public
institutions that are supposed to be experts in risk oversight? It means
that security is hard even when it is treated as a priority, let alone when
it is an afterthought, as it is in most institutions. Given the business
they are in, you would have thought that these entities should know better
and would have had the wherewithal to do a better job of protecting their
information. However, like the proverbial shoemaker focused on earning a
living and not their child’s footwear, the focus of private sector
companies and government agencies is to execute their mission, not to turn
their public facing offerings inward to better protect themselves, their
constituents or their customers.

Until there is real motivation that elevates cyber security as a priority
in public and private entities, we will continue to see a less than stellar
effor

t at its implementation. Despite many executives losing their jobs, the
long term inherent cost of these breaches is not significant enough to
motivate the right behavior. Unfortunately, regulation and associated fines
are likely the only way. One only has to look at the mania of activity and
concern surrounding Europe’s Global Data Protection Regulation (“GDPR”) and
its potential material fines of up to four percent of global revenue.

My previous column talked about security v.s. compliance, which is an
important point when considering regulations, related penalties and how to
measure success. The risk based approach advocated there is the
well-established path to managing cyber security for optimal business
results. Like all risk disciplines, it looks at the threat landscape,
vulnerabilities and the potential business impact of them intersecting.

What the risk based approach does not directly consider are the resulting
impacts that are outside the business. Despite the significant momentary
effect of major breaches on profits, stock prices and the personal careers
of company executives, most breaches to date have not had a long term
financial effect on the businesses in question. Equifax may be the first
major exception to the rule, and as attacks increasingly cut into
operational capabilities, the dollar impacts will grow (see FedEx’s $300
million cost attributed to the disruption caused by the NotPetya ransomware
this past summer). However, most businesses are still inclined, by decision
or passivity, to roll the dice that the cost of a cyber event will be less
than the business cost of preventing one. Cyber insurance just raises the
bar on the dollar threshold required to motivate boards and executives to
pay attention and adjust how they do business to better protect themselves
and their customers. Unfortunately, undesired outcomes that do not
significantly impact the bottom line in the long term, like exposure of
customer data, will not drive the attention required to make a dent in the
matter.

The only way this formula changes is when the cost of weak security exceeds
the cost of putting the right people, process and technologies in place to
raise the bar. That’s not to say that being motivated to improve security
posture will magically prevent attacks from being successful. But it is to
say that without a direct driver, we will continue to see preventable
breaches that result in the exposure of personal data and disruption to
services.

That driver may come from one or all of three places. Individual consumers
need to speak with their pocket books and their votes. Making security a
significant and vocal factor in your buying and voting decisions will raise
the stakes for commercial entities and politicians, “helping” them realize
its importance. Regulation and legal decisions at the federal level that
increase the cost of cyber negligence through fines and legal action will
increase the bottom line impact materially, and drive more attention (again
see GDPR). To minimize the burden of compliance, regulation needs to
consolidate other local efforts, and focus on security v.s. check-the-box
compliance. The New York State Department of Financial Services cyber
security regulation provides a good template as a starting point. Finally
(and I pray never to happen), the occurrence of a major disruptive event
that has significant impact on the operations, financials or life safety of
a large private or public entity will open everybody’s eyes.

The risk needs to be realized and action needs to be taken before a cyber
disaster impacts critical life safety or infrastructure. No major
innovations come without cost. Cyber security is one of the costs that
needs to be paid to reap the benefits of our advanced technology and
connectivity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171102/452f7426/attachment.html>