This article was originally published on Infosec Island.
Dear Mr. President:
We are all anticipating the State of the Union address tonight. The Constitutional requirement to annually address Congress and outline the nation’s priorities is one of the most highly anticipated policy events of the New Year. For those of us who work in the information technology (IT) industry, though, this year has special meaning. The proposed focus on cybersecurity is a watershed event, and raises a range of issues from security to privacy to business practices that cut across the fabric of American society. As you noted at the Federal Trade Commission last week: "If we're going to be connected, then we need to be protected.”
While IT is a large portion of our economy in its own right, more significantly, it is lifeblood, the supply chain of most industries, from farming to manufacturing to financial services to commerce on Main Street. Every business relies on technology and lack of trust in IT is a drain on our recovering economy. Moreover future industries will be based almost entirely on top of the flow of information.
Why the American government must play an essential role in catalyzing a national response to the emerging cyber crisis, business and private citizens can also take a leading role in safeguarding our data and preserving both our way of life and our commercial base. Here are 4 areas worth considering in the context of business.
1. The new broom: mobile and cloud require a new approach
Computing has gone through more change in the past 10 years than the 40 preceding it. We cannot expect the security approaches we built in the 1980s-1990s client-server era to be effective in the new distributed computing era. In an IT world dominated by software, the idea that medieval fortresses will protect our IT systems does not support our national security. Every business in America needs to revisit their architecture and security policies.
2. Built in, not bolted on: security starts the beginning of the IT development cycle
Today, the people who drive new technology for businesses tend to be the people who create new applications (which mirror businesses processes such as ecommerce or customer service). However, the siloed nature of IT organizations and the lack of focus on incorporating security as the beginning of the application cycle means that supply chain of new applications may be inherently insecure at the inception.
3. Only the paranoid survive: everything must be secured
The perimeter security model most enterprises rely on was designed during a period where people could point their finger to the actual hardware running their computing and everything inside the firewall was trusted, not unlike our traditional border security. There was the Internet (untrusted) and the corporate network (trusted). This world is changing rapidly and requires the assumption of zero-trust information technology (which has been described by Forrester Research’s Principal Security Analyst John Kindervag). Assume you must protect everything.
4. The buck stops here: security is a board-level issue, not a specialist problem
In the information technology, security traditionally was seen as “insurance,” something to be fobbed off to specialists. It has been traditionally ill funded and unpopular. Chief Information Security Officers were perceived as purveyors of “no” when the business wanted to say “go.” This attitude must change. Now information security it must be a factor in most businesses decisions and the responsibility of senior management and boards of directors.
By rallying American business leaders around an enhanced focus on information technology security, the White House can catalyze another dimension to dealing with this long twilight challenge concomitant with the cyber activities. Think about this like how we treat health: better diet, exercise and preventive care lowers the need for expensive and disruptive procedures later. IT security and cyber follow a similar pattern.
But mostly, today, Mr. President, you can use the “bully pulpit” to raise awareness about our need to be vigilant and to change in the area of IT security. A wise American (perhaps Jefferson) noted two hundred years ago: “eternal vigilance is the price of liberty." The words are no less true today in the information security realm as it was in protecting our nascent democracy from enemies foreign and domestic.