3 December 2015

Time for industry to take a lead against cyberthreats

Kevin G. Coleman, SilverRhino, November 27, 2015 

As a society we are fairly reactive to issues and opportunities brought about by change. A strategic approach to change is all but absent. Those that choose the much more difficult strategic approach usually find themselves in a position of strategic advantage, while those that choose the reactive approach typically find themselves slugging it out day after day. Stop for a moment and think what percentage of your cyber efforts (offensive and or defensive) are reactive and what percentage are strategic and proactive?

There are several aspects to both the strategic and reactive approaches. The most common reactive approach is “patch and pray.” Organizations respond to reported vulnerabilities and cyber-attacks as they become known. Most of their efforts are NOT strategic or proactive.

This has proven to fall way short of what is necessary for the current cyber threat environment. A recent report by a leading cyber security product and services company provided a solid understanding of the reactive challenge, showing that each month millions upon millions of new strains of malware are released on to the Internet. When you boil those numbers down, they translate to between 10 and 20 new strains of malware being released each and every second in the month. How many organizations are capable of dealing with that many threats being added each and every second of the day? Very few, if any.
Clearly, a new proactive approach is necessary and must be crafted, vetted, built and implemented if we are to make a substantial improvement in the current level of cyber security. This is not the only attribute of what is now necessary, the approach must be much more holistic as well.

This has come up in multiple conversations that I have had recently, one of which was very troubling. The conversation would lead you to believe that a proactive solution could very well cannibalize most of what we now consider the cyber security industry. While proactive products could cannibalize the industry to some degree, they will not totally eliminate the need for market-reactive products and services. Given that people’s lives are literally at risk, it is troubling to think that businesses, research organizations and possibly even the government (military and intelligence organizations) would hold back answers to some of the difficult cyber security problems that we face.

If a holistic, proactive approach were introduced by industry in cooperation with the government, there could be a fairly robust reduction in the cyber security legislation that is in various stages of the legislative process. If the issues and risk are being addressed by the private sector, regulations would not be necessary and, more importantly, they would be extremely difficult to justify.

While that is a huge positive, there are other benefits to be gained by the private sector getting in front of the cyber threat issue. Think about the marketing campaign that could be launched in support of the proactive measures by the multiple industrial segments that would need to be involved. Not marketing spin, but true proactive initiatives (products and services) that increase an organization’s level of cyber defense and security that serves to reduce the overall level of cyber related risk.

Will the private sector surprise all of us and jump out with a proactive cyber security offering that would negate much, if not all of the currently proposed legislative measures? If history is any indicator, the answer is no.

I remember the challenges and difficulties that came with talking about the need for organizations to get ahead of cyber threats in the early 2000s. The situation has become far worse in the decade and a half since then. Perhaps with the threat now recognized at high levels within organizations, coupled with the growing risk and cost of successful cyber-attacks and breaches, now is the time that corporate America to step up and show the innovation that has pushed the country to be a dominant leader in the digital world. Being a strategist, it is what I believe is necessary; but more importantly, it that kind of leadership that has made the country great for decades.

No comments: