by Larry Clinton
Yes, they are. While corporate boards of directors worldwide are developing programs to increase own their understanding of the cyber threat and taking action to address it, the government equivalent of corporate boards – legislators, agency heads, and the like – seem content to tell others what to do while not seriously engaging in the sorts of training programs their private sector brethren are committing to.
For example, this morning the Japan Business Federation and the Internet Security Alliance announced the release of the first edition of the Cyber-Risk Handbook for Directors adapted for Japan. This is the fifth adapted version of the Cyber-Risk handbook released in the past 3 years, now touching 4 continents. The handbooks were originally published for the U.S. National Association of Corporate Directors (NACD) where it is the most popular of the publications in the NACD catalogue. Since then, ISA, working with a range of international partners have created editions for Germany, the UK, and Latin America. The Japanese version is the first edition that addresses the unique needs of the Asian environment. A pan-European edition is also under development and additional versions for corporate boards are planned.
I sense a trend, actually, several trends.
The most obvious trend is that industry leaders are not only becoming increasingly aware of the cyber security problem but taking action to address it. Moreover, the trend in industry is to embrace the cyber issue not simply as an operational technical component but as an enterprise wide issue that demands a broader corporate structure and integrated approach. This is cyber security being approached from the top down, not bottom up from the IT departments.
We are not just talking standards, frameworks and information sharing anymore. Boards are now demanding management develop new structures, and use modern tools enabling cyber risk to be analyzed in in empirical and economic terms that can systematically tailor mitigation and risk transference strategies the unique nature of entity’s cyber risk apatite consistent with their organizational mission.
Finally, the international board programs being developed are operating from a coherent, board level, framework that is based in independent assessments that have found the principles and techniques embedded in the handbooks to actually generate pro-security outcomes. The documented impacts of these programs include better budgeting, better risk management, closer alignment of cyber security with organizational goals and helping to create a culture of security within the organization itself.
To be fair, government agencies from around the world are collaborating in the development of these handbooks. In the US the Department of Homeland Security through the National Risk Management Center, as well as the Department of Justice are major contributors to the handbooks as is the Information Security Agency in Germany (BSI) and the Organization of American States in Latin America.
However, unlike in the private sector, government agencies have yet to actually drink their own wine and initiate programs for senior government policy makers, most of whom are digital immigrants, to be schooled in contemporary enterprise wide cyber security models and tools. Until that happens public policy around cyber will continue to lag not only behind the private sector, but the attackers as well.