Cybersecurity and the C-Suite (the C stands for complex)

The growth of the cybersecurity sector has brought many new opportunities for businesses across the board.  Inevitably, however, such increase also brings about greater complexity: challenges that now present themselves to security decision makers.  You know the story.  Larger security budgets, hurried spending, and a proliferation of products to navigate and select.  How should the C-suite approach this confusion?  As we’ve discussed in the past, more spending doesn’t automatically equate to smart spending.  Knowing how and where to direct resources can do wonders for an organization’s defenses.  You must ultimately ask, what are we trying to protect?

At its core, this is an issue of collaboration and communication among all concerned parties.  In breaking down this topic, CIO Dive emphasizes that an organization should try to zero in on its most critical assets.  So many these days attempt to secure absolutely everything, equally, which results in a chaotic hodgepodge of software products.  According to their analysis, it’s more imperative than ever for CIOs to work with and rely on their CISOs regarding product choice, risk determination and overall security assessment.  Methods such as these work to reduce risk and improve an entity’s cybersecurity strategy.

Official guidelines would possibly help facilitate these processes; however, as Michael Dworman writes at Charged Affairs, the US lacks clear, overarching regulatory authority at the federal level.  Europe has GDPR inbound.  No such equivalent exists in the states, beyond the state level.  HIPAA doesn’t encompass all industries.  Dworman believes that while the human error that leads to many cyber incidents can’t be legislated away, federal intervention would help incentivize cyber defense at a national level.  Especially in the imposition of strict, enforced penalties for failure of compliance, similar to what GDPR looks to implement.  Meanwhile, it still remains in the purview of the private sector to require basic training for employees, to at least try to keep the spear phishing clickthroughs to the absolute minimum.

The question Dworman poses is, “Is the onus of personal data security on the individual or the government?”  I think it’s clear the answer is “Yes.”  Alone, any efforts taken by either side will come up short in handling the growing sophistication of the cybersecurity landscape and the malicious actors within it.  Government can’t legislate away human error, but can help mitigate its consequences; users can’t enforce regulations, policies and penalties, but they can become educated and vigilant.  Both are required, or both will remain data breach victims.