As those of us in the security industry anticipate the soon-to-be-appointed Cybersecurity Czar, I took some time to pull together my thoughts on his/her first 100 days in this newly-created role and the critical first steps that I’d recommend be tackled in those first 100 days, to ensure success.
While I’ve been pretty vocal on the pending Cybersecurity Czar role in tandem with what Melissa Hathaway has been charged with in terms of a review of our current state of cybersecurity, I think it’s important to make a very clear distinction about the role the Cybersecurity Czar must have to prevent the role from being toothless, as previous efforts in this area have proven to be.
The Cybersecurity Czar must have the budget, the necessary power to enforce change and the support of the government (top to bottom) and civil side, meaning business leaders should also take the necessary steps to embrace this role, policies, and enforcement. Without both of these elements, the person appointed to this position will almost certainly fail. It’s been attempted before but was never properly executed. It’s time to put some teeth behind this position to enact change before it’s too late.
With that said, assuming the Cybersecurity Czar is given the budget, power and support needed in this role, my recommendations for the first 100 days are to:
Examine the role of private enterprise in our overall national security posture: – As I mentioned previously, we need to actively engage private enterprises in overall efforts to improve the country’s security posture. Without private industry support, the Cybersecurity Czar will have a tough time fully securing our critical infrastructure currently managed by both the government and business communities.
Articulate security standards, government-wide, that are achievable and enforceable, and offer a net security benefit. While there have been attempts to enact security standards and government bodies in the past to impact our country’s weak security initiatives, many were toothless, the policies weren’t enforceable and there were no clear penalties for not adhering to those policies. There has to be some level of authority given to the Cybersecurity Czar to consolidate civilian and government entities as well as the DoD’s (at some level) existing security state and policies to affect change.
Establish a real-time threat assessment and/or gap analysis – Currently, we do not have a clear understanding for where we, as a country, sit today relative to our risk posture let alone where we’d like to be or what it’ll take to get there. A real-time gap analysis will provide a crystal clear view into areas of weakness that must be addressed right away versus weaknesses that can be addressed in due time, taking a risk-based approach, so to speak. A key thing to understand here is when assessing risk, make sure you have the right steps to address, communicate, and prioritize based on the threat level so that different groups can come together in a cohesive manner to take the steps to remediate.
Harness the strong sense of nationalism our country is renowned for across the globe:
Carrying of the flag, knowing our history, being proud of our American heritage. These are the things we, as a country, are known for. Why not use it to our advantage as we seek ways to improve our country’s security posture? At some level, all Americans need to understand that our nation has changed, our ability to remain safe and secure in light of the digital warfare looming is at an all time high. What’s needed is some sort of campaign to get all of us on the same page relative to our national cybersecurity and the fact that being safe and staying safe by protecting our critical infrastructure and systems needs to change. If hackers now have the ability to shut down our critical infrastructure – from our transportation system to our power grids and emergency service communications systems – this is no longer just a cybersecurity issue, it’s a national security issue that cannot be ignored. In tandem with what we need to do to rally civilians around this issue, we also need to work closer with those in the private sector as the value of our Intellectual Property (IP) is at stake. At this rate, our priceless IP is being siphoned out from under us and we collectively haven’t realized what the implications are to our history of innovation in the US. If we’re stripped of our IP, and thus our innovation, how are we going to be able to maintain our global leadership status?
Chart a course: A clear course is needed for how we resolve our national cybersecurity posture. Not just a government-enacted project but something that the entire country – from private industry right down to civilians. This is the key to success for whomever takes the reigns as our first-ever Cybersecurity Czar.
Nice job Pat sounds like you are making a pitch for the job!!!
On this topic, I agree 100% that the role of private enterprise in our overall national security posture is key, there are a lot of very good people in the privet sector and the government should leverage this knowledge base. And on the topic “Harness the strong sense of nationalism our country is renowned for across the globe” I revert back to your comments on Singapore Government and their efforts to consolidate, this makes sense to me but then again I’m just a security guy look at the big picture!!
Thanks
Rich