US Commission on Cybersecurity Report Is Out

This report has been a long time coming and is sorely needed. The Commission started work back in February of 2016 and assembled 12 industry experts to come up with recommendations to President Obama on how to deal with the massive cybersecurity issues plaguing the United States. My hats off to President Obama for taking the leadership role in this vital area. They cover six important areas and come with a host of action items to be taken. Seeing how the US has been under siege with a plethora of attacks, from the IRS, to the US Navy, Hillary Clinton, to even the CIA itself. I cannot think of a more important time for this report.

It Is An Issue of Leadership

Like I have been saying all along, it is about the leaders of an organization to show what the direction of an organization is going to go. Are they going to be a safe zone for corporate data where people trust them or are they just going to do the bare minimum and hope for the best? What is their security posture? How do you respond to attacks or a breach? What is your security Policies? Or do you just leave these up to circumstances and people below who have no power or influence? These are very important questions and need to be addressed clearly and concisely in order to communicate to your people what the right path is. Just think about it. If there are a slew of bank robberies for a particular bank, does the CEO just leave it up to the tellers or a first line supervisor at the branches to determine security policies and procedures? No there will be strong attention paid to the issue from the top with clear policy level guidelines on how to deal with it. Well, Cybersecurity is the same but it affects all companies’ not just banks, and the potential losses are astronomical compared to a bank robbery.

Two of The Six Areas

They refer to imperative one through six as the important areas of focus. Imperative 4 and six are of particular interest to us at the corporate level. Imperative 4 refers to encouraging and rewarding private cyber security awareness and development. Action item: “Recommendation 4.1: The nation should proactively address workforce gaps through capacity building, while simultaneously investing in innovations”. This shows a top-down approach to fighting this war effectively. Another action item: “Action Item 4.1.4: The federal government should develop a mandatory training program to introduce managers and executives to cybersecurity risk management topics—even if their role is not focused on a cybersecurity mission area—so that they can create a culture of cybersecurity in their organizations.” This is exactly what we have been talking about.  Cyber security is not a technical problem it is a policy problem first. Let’s take a look at one of the action items in Imperative 6: “Within the first 180 days of the next Administration, the President should appoint an Ambassador for Cybersecurity to lead U.S. engagement with the international community on cyber security strategies, standards, and practices.” I hope you see where this is leading. There are going to be standards and practices that will be mandated at some point. This is a predictable pattern. Now the question is do you want to have these standards forced on you or do you want to lead?

Leave a Reply

Your email address will not be published. Required fields are marked *