I recently kicked off a new series of blogs based on the top 10 threats, trends and business priorities for security executives. Last week, I published my first blog on the subject: History's Lessons. This second blog will look into five key areas for government reform.
STEM or science, technology, engineering and math is considered a staple for the information age from the perspective of general education. Governments should be, and based on my travels, in many countries like Peru, South Korea and China, are investing in STEM education.
This comes in the form of competitions, grants, scholarships and incentive programs for students pursuing careers in STEM-related fields like computer science, electrical engineering, mathematics and physics. Incentive programs beyond those directly focused on students extend to educational institutions and even investments in startups. Many developing nations that I've worked in, especially in South East Asia and South America see investing in STEM as a way to ensure that they are more prepared for the information age then perhaps they were when the industrial age began around 1850.
We all know that information sharing can be a good thing. Yet few organizations embrace it because they don't want sensitive information they've discovered about bad actors, attack vectors, new malware variants, etc. being released.
The idea is that this gives the organization a potential advantage over the attackers because the attackers don't know they have been detected and are being tracked, and possibly even gives the organization an advantage over their competitors because of their increased intelligence and thus resilience. Or the people they are sharing the information with might not be trusted, or worse, the attackers themselves. Another perspective is that the sharing is asynchronous - Party A delivers 90% of the intelligence while Parties B-Z delivery the remaining 10%. This is great unless you are Party A.
The upside of sharing is that it gives organizations a force multiplier and leverages the power of the crowd. This may manifest in industry-specific events fostering collaboration, or it might be automated, machine-readable outputs that go from a cloud into their security controls. In order for this type of activity to be more widespread, there needs to be government incentives such as adjusting how litigation is approached.
Implementing the carrot instead of the stick is one strategy to address reform - especially when it comes to information sharing. That's to say, instead of punishing an organization with fines because of a breach, they are given incentives for participating in information sharing programs. One incentive might be controls applied to litigation which limit penalties for organizations actively involved in information sharing programs.
In many industries, especially those that suffer from outdated security controls such as power and energy, where Windows NT 4.0 may still be responsible for running multimillion dollar turbines, accelerated depreciation would help by allowing these organizations to invest in improved security controls. Again, this might be some type of "bonus," along with the litigation reform "bonus" for organizations participating in information sharing.
Finally, one of the issues often brought up as an issue where business and information security converge is insurance. Many security and business professionals have argued that the insurance business simply hasn't matured to the point where "cyber insurance" is both affordable and effective. Government-backed reinsurance programs could insure insurance agencies while the industry matures to the point where it is providing the desired value for all parties. This would provide a safety net for the insurance companies while allowing businesses to mitigate their risk.
Reform doesn't need to be another regulatory mandate. It can take the form of multiple programs and incentives that are outlined here. With a focus on supporting proactive efforts from STEM through insurance - instead of implementing fines and penalties, government can become more "operationalized" within every organization's security posture.
Originally Published on CSO Online