Published on csoonline.com
In the wake of the Equifax mega-breach (143 million customers), it’s time to shatter a lot of glass and do an immediate institutional paradigm shift. This needs to happen across public-private and private-private digital security threat information sharing policy-making, collaboration and coordination.
What more proof do we need, 143 million Americans (that’s nearly half our nation’s entire population) at risk, to publicly acknowledge that it ain’t working? A mea culpa moment for sure!
Cybersecurity is an entirely new industry sector. Basic fundamental business operating principles aside, we collectively should be attacking this from an outside-in approach, and embracing indeed celebrating the ‘newness’ of it all. Instead, we as a nation have become fearful and lazy (a broad overstatement for sure, but for purposes here . . .). It’s taken a good 60-70 years post WWII to figure things out and get it right; but, absent some last-minute silly institutional decision making around collateralized loans and mortgages circa 2004-07 (and the resulting 2008-09 market downturn), we got there. Companies have achieved near pure operating models; company staffs are largely diverse; latterly (and finally!) executive ranks are increasingly filled by eligible women; and the global marketplace is steaming at good pace. Things have been relatively generally very good.
And now this cyber thing comes along. We at first think if we don’t give it public attention, it will remain a secondary or ideally tertiary concern. That didn’t work. Well, let’s tend to it with “band-aids”; deploying our old reliable go-to operating models. Ugh!! That doesn’t seem to be working either. It’s clear that many indeed most of these models are inadequate, ineffectual nor altogether relevant. What to do?
We should be embracing the newness of all of this; and finding great joy in this rarest of opportunities, where so wide of a community—that is the near entirety of public-private-not for profit—has the chance to forge entirely new paths, break new ground and make lasting impact operating in the vast unknown that is digital security. To be fair, there are many brilliant cyber pioneers out there—mostly located at emerging/growth companies, with others scattered across public and private platforms—doing meaningful work. And individual non-cyber domain companies have come a very long way, from just a few years ago, in recognizing the cyber threat and bolstering their internal information security plans and procedures. But, given the wide and pernicious threat in front of us, by and large things are moving way too slowly.
This author puts large blame on this slow-roll squarely on the US Congress. To be sure, there are members across both chambers who have been out in front on cyber for some time now. But, as an institution, Congress has been woeful in enacting important “activating” policy. Further, I believe the root cause behind Congress’ sitting on their proverbial hands is fear. Fear of the unknown . . . leads to fear of making mistakes . . . leads to fear of residual blowback in the form of pissed-off constituencies, be they district voters or privacy lawyers. We see zero-sum assumptions being based on flawed and in many cases wholesale irrelevant models. Instead, members must make cyber law based the new cyber paradigm.
“Stuff” rolls downhill. While private companies have recent years generally made great strides within their own four walls; inter-company security information-sharing and collaboration still has a very long way to go. Without clear, effective and sensible guidelines from Congress, or at least implicit tacit approval with regard to compartmentalized cyber threat information-sharing, companies will continue to view the risk adjusted cost of (the perception of) usurping privacy regulations as too great versus the reputational gains earned from taking a ‘leader of the pack’ position in private-private cyber collaboration.
Enough! We cannot afford to worry about covering our asses here! Embrace the unknown! Forge new paths! Dare to make an impact! When it comes to policy-making, let’s together commit to operating with a dynamic common-sense approach . . . versus a “thou shall not” legalese mindset. If some folks along the way are going to assail progress and change in the name of strengthening highest stakes vulnerabilities, fine; they can pursue their grievances in the courts—this is an important system byproduct that needs to occur anyway, so let it happen. If mistakes are made along the way, or we come to dead-ends . . . so what?! Really . . . so what? It’s not like great things are happening institutionally at current pace. Take a collective quick pause, critique, regroup, and venture forward all the better informed. This is the glass-shattering that must continuously occur if we’re going to make meaningful gains on the cyber battlefield. Congress must lead the way here. The private sector is poised to act, just like a coiled spring . When Congress unshackles itself from its burdensome ways . . . the private sector will take full note, and unleash. New digital security operating paradigms will quickly emerge . . . and truly innovative, meaningful and lasting cyber work will flourish.
Two bold (but very doable) glass-shattering, paradigm-shifting measures to push this “cyber beast” forward . . .
On the public side: Treat cyber as “the kitchen sink.” Throw it all in there, in the way of effective and innovative policy making. Fast track it; and if something doesn’t work, amend it or toss it in the can. And do this over and over and over again. We don’t need perfect now; we need good and effective now. With resiliency, reflection and continuous self-improvement, over time we’ll get to (near) perfect.
- On the private side: While we’re waiting for Congress to push forward (re the above), let’s expand the cyber candidate slate with the inclusion of alternate profile candidates. We’re all agreed there are currently not sufficient numbers of experienced cyber domain experts in the universal cyber candidate pool. There are, however, deep candidate benches across risk and threat vector/operational decision-making SME domains—namely drawn from the COO, CFO and CRO communities—from which talented individuals can stretch and indeed enhance cyber candidate slates. We don’t need perfect; we need very good and very effective.
In closing, I’d encourage our vast cyber community here to get a hold of the just (last week) released Navy-Private Sector Critical Infrastructure War Game 2017: Game Report, authored by the U.S. Naval War College staff. In the absence of a lessons learned/how might we get there? roadmap…this could be that map.