By Liz Powell
Here in America, we like to think of ourselves as leaders. Winners. The best at everything we tackle. Now we have another trophy for the mantle. We’re No. 1 in cyber risk.
The Ponemon Institute conducted a cybersecurity survey of senior-level IT professionals from across public and private sectors. The result: The United States leads the world in risk across all four cyber mega trend categories. That’s more than the UK and Europe; the Middle East and North Africa.
Over the next three years, things are expected to get better – but only slightly. Respondents expect improvements in human factors and organizational factors, but disruptive technologies and cyber crime are only getting riskier.
Source: Ponemon Institute
What does this mean for federal agencies? Kevin DeSouza, a non-resident senior fellow of Governance Studies at the Brookings Institution, examined the strategic plans of federal agencies to determine how much emphasis each agency places on cybersecurity. He found that only half of agency plans even mention cybersecurity – and most of those mentions are brief. Worse, DeSouza found that most agencies’ cybersecurity plans are reactive, rather than preventative.
Two exceptions: The Department of Defense and the Department of Energy stand apart, DeSouza toldFederal News Radio. Because both are constantly under attack, they have dedicated teams and agencies to monitor for intruders, respond to attacks and proactively prevent future attacks.
Bureaucracy weakens cyber defenses. The agencies with the weakest IT plans had the most layers of management separating its chief administrator from its CIO or chief information security leaders, according to DeSouza.
The Ponemon study revealed that across the US; UK and Europe; and the Middle East and North Africa; only 14 percent of respondents say their organization’s security leader reports directly to the CEO. No surprise, then, that only 34 percent said that senior leadership in their organization views cybersecurity as a strategic priority.
Two initiatives are underway to try to address this problem. The White House is establishing the Cyber Threat Intelligence Integration Center (CTIIC), which will be a clearing house for cyber data collected from US intelligence agencies. And the Department of Homeland Security is creating a public-private cyberthreat sharing system. Phyllis Schneck, deputy undersecretary for cybersecurity, told NPR that the new system will enable companies and agencies to share information about cyberattacks to better prepare others to protect themselves.
Think of it as a vaccination initiative for cyber. Organizations will be able to fight preventable cyberattacks using information from past breaches.
Working out the kinks between these organizations will be an ongoing challenge. Law enforcement and intelligence agencies don’t always have the same priorities as other agencies, let alone business interests.
Join the conversation. Post a comment below or email me at firstname.lastname@example.org.