make a good business better

Resource Center better insights

Print Divider Print Divider Branding
 

Dear Mr. Trump: Make cybersecurity a national priority

12/21/2016  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

Dear President-Elect Trump,

I know that your first several months in office will be busy ones as you focus on addressing a wide range of issues, from U.S. manufacturing to health care. However, I implore you to add one more priority to your first-year agenda: cybersecurity.

Currently, cyber attacks cost businesses about $400 billion per year, and that number is expected to grow to $2 trillion by 2019. Even threats that many IT security professionals thought had been largely contained — distributed denial of service (DDOS) attacks — have come roaring back. This fall, hackers used Internet-connected hardware (like laptop cameras and routers) to exponentially amplify the damage they can cause. An attack in October against Internet services company DYN brought down popular services like Spotify, Reddit and — one of your favorites — Twitter.

Then, of course, there’s the issue of data breaches like the one that hit your election opponent. Those hacked emails shed light on the threat from foreign governments and stateless groups like WikiLeaks. While that breach may have benefitted your candidacy, perhaps the next one won’t turn out in your favor.

As someone who has been working on cybersecurity issues with leading corporate, government and health-care organizations for nearly two decades, I offer you four key suggestions for improving the state of U.S. cybersecurity.

Number one: Establish a cybersecurity advisory committee
Rather than appoint a single person in the role of a special advisor or czar on this topic, bring together an advisory group with representation from the private sector, municipal government and nonprofits, as well as consumers. Don’t just staff this committee with former military and FBI experts. You will need insights from many different perspectives to truly understand what businesses and individuals are facing and to help balance the desire to effectively secure data with the need to make money.

Number two: Enforce existing laws
The truth is, when company leaders are pressed to improve the bottom line, expenses like cybersecurity often take a backseat because they don’t increase revenues or decrease costs. However, in industries like finance and health care, existing regulations have obligated companies to keep cybersecurity as a priority — or they could face consequences. While existing cybersecurity regulations aren’t perfect, the looming threat of regulatory penalties remains a primary driver of cybersecurity initiatives for many entities. The problem is there’s little money for enforcement of the regulations. This needs to change. If there are laws on the books, your administration should figure out how to make companies follow them. Until organizations are truly making investments in cybersecurity based on the outputs of a cybersecurity risk-management program, enforcing existing regulations will be one of your most effective measures for improving our resiliency against cyberattacks.

Number three: Don’t listen to Reagan
President Ronald Reagan’s famous phrase, “Trust but verify,” may have worked for Cold War nuclear disarmament, but when it comes to cybersecurity, the saying my colleagues and I follow is closer to this: “Trust no one.” You have to assume that adversaries like China and Russia are launching cyberattacks against U.S. businesses and other interests. Businesses and government entities must be vigilant in their cybersecurity efforts, prepare to be attacked, and design and implement cyber defenses accordingly.

Number four: Don’t ask for more thought leadership
As I write this, there are no fewer than five well-established cybersecurity frameworks that have been developed to outline an approach to cybersecurity — such as ISO 27001, the NIST CSF, the HITRUST CSF and others. But these are basically five separate approaches that accomplish the same thing. Using any one of the frameworks properly will allow an organization to effectively secure its assets. I compare this to different translations of the Bible: They all might have slight wording differences but ultimately convey the same information, and, if you follow the Bible’s teachings, provide the same outcome.

So please don’t call for more thought leadership to be published on the topic of cybersecurity.  We have plenty of great information already available, that, if followed, will effectively reduce cyber risks. The key now is for entities to put the existing guidance into action. Until entities get the basics in place, new thought leadership will simply serve as noise that could discourage or derail an organization from making improvements. We don’t need more thinking about cybersecurity; we need action.

In his 2015 State of the Union address, President Barack Obama acknowledged the importance of cybersecurity. Since that speech, however, very little progress has been made, and more high-profile attacks have occurred. As you take office, I’m imploring you to put cybersecurity on your presidential agenda and finally give it the attention needed to prevent a major cyber-attack from becoming a defining event of your presidency.

Respectfully,

Mark Burnette, CPA, CISA, CISSP, CISM, CRISC, CGEIT, QSA

Dear Mr. Trump: Make cybersecurity a national priority

Publication

The Tennessean