In an ever changing world where doing the right thing is constantly in competition with budgetary concerns, my first thought was to do a piece about how in cyber perhaps we can use the old adage of how the Chinese character for adversity is the same for opportunity.
When I sought out the character, I learned that the characters are in fact not one in the same but two characters that go hand-in-hand. The first character is known as Wei (Way) and the second character is Ji (Jai).
As I tried to pronounce this is English, it consistently came across as “Way-Jay” and made me think about the Ouija Board (a board game designed to allegedly allow humans the ability to communicate with the spirit world).
In my past post as well as the hundreds of others The State of Security publishes, there is this constant ambiguity that exists in defining how we evaluate risk in the field of cyber. It made me chuckle because it makes me think with the amount of money we have spent on cyber, I have this mental image of a CISO using a Ouija Board to define how they should run a security program:
As we begin to wrap up 2013, it is important to note just how disjointed our current models are of throwing money at cyber problems without any real consideration on how to more effectively and efficiently address risk.
According to the Huffington Post, the U.S. Government will track for $11.6 Billion (with a “B”) on Cyber.
On February 12th, the President of the United States issued Executive Order 13636 “Improving Critical Infrastructure Security” and Presidential Policy Directive 21 “Critical Infrastructure Security and Residency”.
Right now, we have three government-sponsored documents of authority on cyber (POTUS EO 13636, PDD-21 and now the NIST Cybersecurity Framework).
Regardless if you are a proponent or opponent of these works, there is no denying the following:
1) The U.S. Government recognizes the gravity of cyber-related threats
2) Is assessing how to incentivize commercial entities to share threat data
3) The EO and PDD are academically solid in theory but how they will be implemented remains at bay
4) What the Government thinks an incentive is vs. what industry wants are not aligned
5) The NIST Framework is not likely to drive any real change and without industry engagement, PDD-21 and EO 13636 will not be as successful
DHS is currently in discussions with the cybersecurity insurance underwriting community and appears to be making some progress but with an administration (that has been pushing this cybersecurity agenda) set to expire in 2016, the clock is ticking!
Anyone tracking the over/under in Vegas yet?
About the Author: Carter Schoenberg has more than 19 years of combined law enforcement, cyber intelligence and cyber security experience. Starting his professional career in law enforcement as a homicide detective, Carter moved into the private sector working with the ISS X-Force working on daily threat and reconnaissance reports for the ISAC community and DHS. After leaving ISS, Carter worked with the Motorola Security Services Division spearheading a new method of assessing risk by evaluating the actual costs of security events. In 2010, Carter acted as the lead Information Systems Security officer for the US Immigration and Customs Enforcement (ICE) Cyber Crimes Center before taking on his current role as the Technical Director for CALIBRE Systems’ Cyber Security Services in addition to teaching cybercrime, terrorism and white collar crime at the undergraduate level. He has authored several white papers on cyber risk and litigation as well as an accomplished speaker at events like SecureWorld Expo, ISSA, InfoSEC World and in September, will be speaking at the ISC2 Security Congress.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Cyber Security Information Exchange
- Adam Meyer on Implementing the Cyber Security Framework
- Don’t Reinvent the Wheel: Phil Agcaoili on the Cyber Security Framework
- The Executive’s Guide to the Top 20 Critical Security Controls
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
* Show how security activities are enabling the business
* Balance security risk with business needs
* Continuously improve your extended enterprise security posture
Title image courtesy of ShutterStock