THOUGHTS ON SECURITY BY DESIGN/DEFAULT FOR WORLD ECONOMIC FORUM 

    Posted on November 20, 2023 at 8:05 am

    Larry Clinton’s opening statement Last week I was honored to attend the World Economic Forum’s annual cybersecurity conference and lead a session on the demystification of the economics of secured by demand/default (watch the introduction above). I want to thank, and congratulate, the Forum creating this session. This topic lies at the very essence of […]


    WHITE HOUSE SHOULD LOOK TO BOARD’S GUIDENCE ON AI AND CYBERSECURITY – PART 2 

    Posted on October 31, 2023 at 6:00 am

    The founder of the organization I am honored to lead was Dave McCurdy, the former Chair of the House Intelligence Committee.  Based on his long career in government Dave liked to say, “government does two things well, nothing and over-react.”  We are clearly, and rightfully, out of the” do-nothing” phase of government’s involvement in AI.  […]


    WHITE HOUSE SHOULD FOLLOW BOARD’S GUIDANCE ON NEW AI EXECUTIVE ORDER 

    Posted on October 30, 2023 at 9:08 am

    Introduction by ISA President Larry Clinton There is tremendous anticipation regarding the imminent release of a sweeping new Executive Order (EO) on the use of Artificial Intelligence form the Biden White House (LINK). Although the EO holds potentially game-changing reach, it needs to be understood in the context that government is largely playing catch-up on […]


    THE KEY TO UNDERSTANDING SYSTEMIC CYBER RISK IS MARKET PENETRATION

    Posted on October 26, 2023 at 10:04 am

    Introduction by ISA President Larry Clinton The SolarWinds’ Orion software attack – which occurred nearly three years ago — had devastating impact that organizations are still facing today. Recent reports estimate that government agencies and private organizations will spend $100 billion over the next few years investigating the incident and remediating the damage done in […]


    COMMERCIAL ECONOMICS ARE INSUFFICIENT TO DEFEND CRITICAL INFRASTRUCTURE FROM CYBER ATTACKS  

    Posted on October 24, 2023 at 12:58 pm

    Introduction by ISA President Larry Clinton Critical Infrastructure in the United States is facing a substantial risk of cyber attacks at all times due to the imbalance of risk assessment between the public and private sectors. Until this disparity is mitigated, the United States will never be adequately protected on all sides from cyber attacks.  […]


    FOR THE CYBER PUBLIC-PRIVATE PARTNERSHIP TO WORK THE REGULATORY MODEL NEEDS TO BE REFORMED 

    Posted on October 20, 2023 at 5:02 am

    Introduction by ISA President Larry Clinton Biden Administration’s National Cybersecurity Strategy (NCS) rightfully “recognizes that robust collaboration, particularly between the public and private sectors, is essential to securing cyberspace.”  Unfortunately, this “essential” goal is undermined in the very same document. Alongside announcing plans to scale public-private partnerships, the Biden Administration also proposes a number of […]


    DO CYBER REGULATIONS IMPROVE SECURITY? (SPOLIER ALERT: NO) 

    Posted on October 18, 2023 at 4:59 am

    Introduction by ISA President Larry Clinton Many people new to the cybersecurity issue often suggest that what is needed is a strict regulatory model.  However, as Richard Clarke and Robert Knake, two of the most experienced and well-respected experts in the field of cybersecurity, point out in their book The Fifth Domain, “There is a […]


    CYBERSECURITY REGULATION: DOING THE SAME THING AND FAILING  

    Posted on October 17, 2023 at 8:54 am

    Introduction by ISA President Larry Clinton Although Albert Einstein probably never said “The definition of insanity is doing the same thing over and over again and expecting a different result,” it’s still a pretty incisive comment that unfortunately applies to cybersecurity regulation. Our current cybersecurity process is insane.  The fact is that the traditional cybersecurity […]


    LESSONS PRIVATE SECTOR CAN TEACH THE GOVERNMENT ON FIGHTING CYBERCRIME

    Posted on October 6, 2023 at 10:43 am

    Introduction by Larry Clinton As we have documented past blogs (LINK, LINK), we are fighting an uphill battle against increasingly sophisticated cybercriminals. In fact the new national strategy to secure cyber space essentially says that only the most sophisticated private companies have any hope of preventing cyber-attacks.  This means we must increasingly rely on our […]


    ONE WAY TO GET CYBERCRIMINALS TO FUND LAW ENFORCEMENT

    Posted on October 5, 2023 at 5:08 am

    Introduction by Larry Clinton As we explained in previous blogs (LINK), cybercrime is at an all-time high – and there are no signs that it is slowing down. Economic losses from cybercrime are estimated to be as much as $2 trillion annually—and increasing to as much as $10.5 trillion by 2025 – 10 trillion is […]


    WHAT CAN PINK DO FOR CYBER? 

    Posted on October 4, 2023 at 11:37 am

    Introduction by Larry Clinton I expect virtually everyone who might be reading this blog knows that October is Cybersecurity Awareness month. But I doubt the total number of people in the Unites States who know October is “our” month rises above five figures. Of course, awareness that we have a cyber security problem is virtually […]


    TIME TO MODERNIZE THE MILITARY’S ROLE IN CYBER CRIME DEFENSE  

    Posted on September 21, 2023 at 8:28 am

    The release of the Department of Defense’s (DOD) 2023 Cyber Strategy could not have come at a better time. The first DOD Cyber Strategy since 2018, it shows the DOD recognizes the scale of the cyberthreats facing our nation and are looking to build a forward-facing posture in our nation’s cyber defense.   The digital age […]


    POSSIBLE MARKET INCENTIVE PROGRAMS TO PROMOTE SECURITY BY DESIGN AND DEFAULT

    Posted on September 20, 2023 at 5:00 am

    Introduction by ISA President Larry Clinton Last week we discussed the foundational principles (LINK) and best practices (LINK) that can be followed to implement the Biden Administration’s Secure by Design and Default (SDD) proposal. In this third and final blog on SDD, we will dive into the most important part of any proposal: how to […]


    HOW CORPORATE BOARDS LOOK AT ARTICIFIAL INTELLIGENCE AND CYBER SECURITY (Part II)?

    Posted on September 19, 2023 at 7:49 am

    AI is the new black, in two senses.  First, AI is clearly the fashion of the day as AI week on/Capitol Hill has now turned into AI month and may well have an extended “season.” The other sense in which AI is the new black is that in many ways it is an ominous, and […]


    HOW DO CORPORATE BOARDS LOOK AT ARTIFICIAL INTELLIGENCE AND CYBER SECURITY?

    Posted on September 18, 2023 at 7:35 am

    According to Politico it’s unofficial AI week on the Capitol Hill, as lawmakers in the House Oversight cyber subcommittee and the Senate Homeland Security and Governmental Affairs committee are capping off their first few days back by asking federal agencies: what are  you  doing with AI? A key element of Congressional oversight, as it is […]


    HOW TO DO SECURITY BY DESIGN AND DEFAULT – 10 BEST PRACTICES  

    Posted on September 15, 2023 at 5:00 am

    In yesterday’s blog, (LINK) we highlighted the Biden Administration’s positive step towards rebalancing the economics of cybersecurity. By shifting the narrative away from “blaming the victim” of cyberattacks, we are moving in the right direction to creating a market economy of products with cybersecurity embedded in their very design. However, this won’t be easy. For […]


    STOP BLAMING THE VICTIM: 7 PRINCIPLES SECURE BY DESIGN & DEFAULT 

    Posted on September 14, 2023 at 5:00 am

    Introduction by ISA President Larry Clinton The reality is that we are losing the fight to sustainably secure our cyber networks – and losing badly. This means we need to change the way we have been approaching the issue. That begins by stopping the blame game focusing on the victims of cyber-attack and beginning to […]


    THE VIRTUAL CYBERSECURITY ACADEMY—FREE CYBERSECURITY FOR THE GOVERNMENT!

    Posted on September 13, 2023 at 5:00 am

    You read that right.  By creating a national virtual cybersecurity academy we would fill the current 35,000 federal cybersecurity workforce gap in 4 years thus measurably enhancing our country’s security. Moreover, because academy graduates would replace the current independent contractors the government is hiring while receiving salaries equivalent to that of graduates of the traditional […]


    CREATING A VIRTUAL CYBERSECURITY ACADEMY SHOULD BE OUR TOP PRIORITY 

    Posted on September 12, 2023 at 5:00 am

    Introduction by ISA President Larry Clinton The federal government spends roughly $70 billion a year on our cybersecurity.  The very first billion ought to go to funding a virtual cybersecurity academy.  The reason, as we outlined in our previous post (read here), is that we are wasting much of the current $70 billion spent because […]


    THE MOST IMPORTANT ISSUE IN CYBERSECURITY DOESN’T GET THE ATTENTION IT DEMANDS 

    Posted on September 11, 2023 at 8:37 am

    What is the single most important public policy issue in cybersecurity?  Hint: the answer is the same as if we asked what is the single greatest vulnerability to our cyber systems?  It’s people.   We don’t have nearly enough properly trained cybersecurity professionals. Current estimates are that we have 700,000 cybersecurity jobs we can’t fill (world-wide […]


    OMB CAN QUICKLY STOP REDUNDENT WASTEFUL HARMFUL CYBER REGULATIONS 

    Posted on September 8, 2023 at 5:00 am

    In yesterdays’ post we praised the new national cybersecurity strategy for properly placing the harmonization of cybersecurity regulations as issue 1.1.1 in its new implementation plan. Streamlining regulations is one of the fastest, most efficient, and frankly easiest, ways to unleash significant amounts of scarce cybersecurity resources to more effective uses.   We also criticized the […]


    BIDEN CYBER IMPLEMENTATION PLAN: GREAT FIRST STEP –STUMBLES ON SECOND STEP (PART 1)

    Posted on September 7, 2023 at 5:00 am

    President Biden’s National Cybersecurity Strategy (NCS) and subsequent Implementation Plan (NCSIP) got off to a great first step by recognizing the need for cybersecurity harmonization as initiative 1.1.1. The Administration is properly prioritizing this initiative because addressing it will, comparatively quickly and effectively, enhance our nation’s cybersecurity by freeing up between 40%-70% (depending on the […]


    TWENTY-FIVE WAYS TO ENHANCE CYBERSECURITY WITHOUT NEW REGULATIONS 

    Posted on September 6, 2023 at 9:59 am

    Absent a few notable exceptions, traditional regulation has not worked to improve our cybersecurity.  There are multiple reasons why it generally doesn’t improve security and is often actually counterproductive which we (ISA) describe in our recent book Fixing American Cybersecurity: Creating a Strategic Public Private Partnership (Georgetown University Press 2023) so, we won’t detail them […]


    STREAMLING CYBERSECURITY REGULATION: AN ELEGANT SOLUTION

    Posted on July 24, 2023 at 9:48 am

    In science and public policy, a principal goal is to develop an elegant solution. Elegance is generally defined as the simplest statement that most completely solves the problem. The quintessential example of scientific elegance is Einstein’s explanation of the theory of relativity E=mc2. Beautiful. The Biden Administration has just released its proposal to address the […]


    Cyber Director Position Remains Vacant: ISA Urges a New Strategy for Cybersecurity

    Posted on July 5, 2023 at 10:24 am

    In an increasingly interconnected world, cybersecurity has become a paramount concern for governments, businesses, and individuals alike. The Government Accountability Office (GAO) recently published an article titled “Cybersecurity: Actions Needed to Address Challenges and Improve the Federal Government’s Management of Cybersecurity Risks,” shedding light on the critical issues facing our nation’s cybersecurity efforts. To address […]


    ISA APPLAUDS DOD EFFORTS TO HELP SMALL COMPANIES ON COLLECTIVE DEFENSE — MORE WORK ON INCENTIVES NEEDED 

    Posted on June 28, 2023 at 11:16 am

    BY LARRY CLINTON AND ANNA MISKELLY  As the Pentagon’s Cybersecurity Maturity Model Certification (CMMC) program rulemaking looms over the defense industrial base (DIB), the Pentagon released a two-page fact sheet highlighting free services offered to companies to help reach compliance. Services such as Project Spectrum and the Blue Cyber Initiative focus on small businesses, targeting […]


    Congress Taking Steps to Address the Biggest Technological Threat of Our Time

    Posted on June 23, 2023 at 11:12 am

    By Larry Clinton and Sarah Harmon This past week, the House Armed Services Committee approved amendment language for the proposed 2024 National Defense Authorization Act (NDAA) to bolster our country’s cybersecurity and emerging technology programs next year. These changes aim to improve the U.S.’s ability to compete with China across several technology sectors, with a […]


    QUESTIONS FOR THE BOARD TO CONSIDER IN USING AI

    Posted on May 26, 2023 at 11:04 am

    It took Netflix two and a half years to reach 1 million users.  Facebook did it in 10 months. Chat GPT did it 5 days. Just as the Internet fundamentally disrupted business plans a decade ago, so, too, is generative artificial intelligence now changing the world – only at a far accelerated pace. Management teams […]


    VIRTUAL CYBER ACADEMY WOULD SOLVE WORKFORCE ISSUE AND HELP REDUCE THE DEFICIT

    Posted on May 11, 2023 at 5:34 pm

    An analysis of the proposal to create a national, virtual, cybersecurity academy shows that creating the academy would not only solve the federal government’s cybersecurity workforce problem in less than 4 years but would create savings that allows the program to pay for itself – and even contribute to reducing the federal budget deficit. The […]


    CHINA BEATING US ON TECH STANDARDS – BIDEN NATIONAL STRATEGY NEEDED

    Posted on May 9, 2023 at 8:31 am

    What could possibly be less sexy than setting technical standards? It’s a tough question, I’ll give you a minute. Maybe, writing about setting technical standards? But it’s one of those jobs that absolutely HAS to be done. Obviously, the technical standards are the building blocks of the digital world. If the standards are not done […]


    RSA REPORT ON SECURE BY DESIGN — WE NEED AN HOV LANE

    Posted on April 26, 2023 at 8:00 am

    One of the many activities at RSA this week has been a series of meetings on how exactly CISA can implement the big idea in the Biden Administration’s new national cybersecurity strategy, shifting the focus on cyber from the user to the providers of cyber technology. Much of the talk around the new strategy has […]


    WHAT IS BEST FOR SEC ON CYBER? OLD STYLE REGS OR NACD MODEL?

    Posted on April 5, 2023 at 9:41 am

    To begin with, we know the cyber risk oversight model described in the NACD-ISA Cyber Risk Handbook actually enhances cybersecurity.  We also know there is no proof the SEC proposed regulations, which have already been tried in multiple venues, will enhance cybersecurity or protect investors.  In fact, the NACD-ISA handbook is the only set of […]


    INDEPENDENT REVIEW OF FIXING AMERICAN CYBERSECURITY

    Posted on March 31, 2023 at 9:14 am

    A Review of Fixing American Cybersecurity, Edited by Larry Clinton and Foreword by Kiersten Todt This entry was posted in Book ReviewCybersecurity on March 30, 2023 by Steven Bowcut In an era of growing cyber threats and increasing data breaches, the need for robust cybersecurity measures has never been greater. Against this backdrop, Larry Clinton’s new book, “Fixing American Cybersecurity: Creating […]


    SEC NEEDS A CYBER MODEL THAT WORKS

    Posted on March 30, 2023 at 9:29 am

    Writing in the February edition of Foreign Affairs CISA Director Jen Easterly called for “a new model” for cybersecurity.  A month later President Biden released a new national strategy for cybersecurity which he said would “realign incentives in favor of long-term investment. When releasing the new strategy acting WH Director for Cybersecurity Kemba Waldon said, […]


    The SEC: The Elephant in the New National Cyber Strategy

    Posted on March 27, 2023 at 11:28 am

    The Biden Administration’s new National Cybersecurity Strategy is an important first step toward improving our nation’s cybersecurity. This strategy, unlike the numerous others that have been unveiled over the past 20 years, adopts ISA’s core argument that we cannot create a sustainably secure cyber system until we rebalance the incentives for cyber-attacks. ISA is not […]


    FIRST DO NO HARM: THE MANTRA FOR NEW CYBER REGULATION

    Posted on March 15, 2023 at 9:17 pm

    The traditional regulatory model – when applied to cybersecurity – is actually anti-security. For all the discussion around the Biden Administration’s new cyber strategy generating new regulations, this one simple fact remains. There is no evidence the cyber regs are working. The real question is not so much how much new regulations there ought to […]


    WHY CYBER REGULATIONS IN NATIONAL STRATEGY MAY NOT WORK

    Posted on March 6, 2023 at 10:21 am

    The new National Cybersecurity Strategy released last week calls for intensified federal regulation on IT providers, while presumably shifting regulatory focus away from technology users (we will see what the regulatory agencies and the SEC has to say about that last part). The strategy asserts “regulation can level the playing field enabling healthy competition without […]


    THREE QUICK STEPS TO IMPLEMENT THE NATIONAL CYBER STRATEGY (NOT WHAT YOU THINK)

    Posted on March 3, 2023 at 10:00 am

    There are probably various government agencies where regulators have already sharpened their virtual pencils preparing to write up some new regulations go along with the new National cybersecurity strategy released yesterday. Please put down your pens.  That is not where implementation of the new strategy needs to begin.  While much of the conversation about the […]


    IS REGULATION THE ANSWER TO OUR CYBERSECURITY PROBLEM (PART I)

    Posted on March 1, 2023 at 9:23 am

    There is a is a common misconception that cybersecurity regulation has not been tried, and that, if only there was federal regulation of cyberspace, we would have a more secure environment. The facts don’t bear out this assertion.  In our next two posts, we will first lay out the empirical evidence that cyber regulation does […]


    IS THE CYBERSECURITY PROBLEM ONE ABOUT TECH OR ECONOMICS?

    Posted on February 27, 2023 at 10:14 am

    Spoiler alert: It’s both.  However, virtually all of our efforts to address our cybersecurity problems have focused on the tech side and virtually none on the underlying economics of cybersecurity.  This has led to an unbalanced and ineffective government response in “providing for the common defense” in the cyber infrastructure. In their classic work, The […]


    US CYBERSECURITY – OLD PRACTICES, NEW VISIONS

    Posted on February 24, 2023 at 7:52 am

    US cybersecurity policies have been inadequate for decades and need to be updated to counter the heightened digital and physical risks the nation faces from our adversaries today. The US cybersecurity effort over the past thirty years largely comes down to a series of modest, disjointed, incremental tactics. On the other hand, one significant rival, […]


    From Pulitzer Prize winning author Byron Acohido on Last Watchdog.

    Posted on February 23, 2023 at 8:57 am

    The review (pasted below) is also available at AUTHOR Q&A: China’s spy balloons reflect a cyber warfare strategy America must counter https://www.lastwatchdog.com/ By Byron V. Acohido The attack surface of company networks is as expansive and porous as ever. Related: Preparing for ‘quantum’ hacks That being so, a new book, Fixing American Cybersecurity, could be a long […]


    THE (ONLY) PATH FOR THE US TO WIN THE DIGITAL WAR WITH CHINA

    Posted on February 22, 2023 at 8:00 am

    In a series of posts over the past couple weeks (LINKS), we have documented how China has been successfully carrying out a concerted and multi-faceted digital program designed to re-make the post-WWII world order and redirect it toward China. The Chinese campaign is well conceived, integrated, generously supported, and largely covert, which is consistent with […]


    CAN THE US MATCH CHINA’S MILITARY-CIVIL FUSION MODEL? WILL IT?

    Posted on February 20, 2023 at 9:50 am

    In recent posts, we have described how over the last 30 years China has smartly leveraged the vulnerabilities of the digital age to steal Western technology and, in so doing, leap-frog generations of R&D to become a world economic power. Not satisfied with their renaissance as an economic power, China leveraged massive government financial support […]


    Huawei is Just the Tip of the Spear in Digital Aggression

    Posted on February 13, 2023 at 7:53 am

    In our last post we documented how Huawei technology, thanks to massive cross-subsidization from the Chinese government, was succeeding in deploying its telecommunications network around the world.  That is a story that is fairly well known in Washington policy circles.  However, Huawei is by no means the only technology threat China poses though its comprehensive […]


    HUAWEI MAKES OFFERS YOU CAN’T REFUSE ADVANCING CHINA’S GOALS

    Posted on February 10, 2023 at 10:00 am

    China’s Digital Silk Road Strategy integrates technology, economics, and politics with the long-term goal of altering the post-World War II US- European world order. An assessment of China’s three wars strategy by the U.S. Department of Defense found that the CCP’s goals were to reclaim global status over the United States by weakening our alliances […]


    CISA SAYS WE NEED A NEW CYBERSECURITY MODEL; THEY GOT THAT RIGHT!

    Posted on February 8, 2023 at 9:05 am

    Last week, Foreign Affairs magazine published an article written by CISA Director Jen Easterly and Asst. Director Eric Goldstein entitled “Why Companies Must Build Security into Products.” The central thesis of their article is we need a “new model” for cyber security because what we have been doing isn’t working. This is precisely the messaging […]


    CHINA’S DIGITAL STRATEGY IS THE THREAT BALLOONS & TIKTOK ARE TACTICS

    Posted on February 6, 2023 at 10:46 am

    In the past few weeks, China’s surveillance balloon and the ubiquity of TikTok have created substantial concern in Washington, as well they should. However, these are simply among the most obvious tactics China is using in its competition with the West. For the US to be adequately responsive we need to be more aware of […]


    CISA’s Todt, in foreword to new book, cites need for industry incentives and strengthened partnerships

    Posted on January 31, 2023 at 7:37 am

    By Charlie Mitchell / January 31, 2023 CISA chief of staff Kiersten Todt provides the foreword to a new book on cybersecurity strategy by Internet Security Alliance leader Larry Clinton, saying a focus on economic incentives for industry cyber improvements is an essential part of a “a strong, actionable approach to industry/government collaboration.” “We need bold action […]


    FIXING AMERICAN CYBERSECURITY WITH A STRATEGIC PARTNERSHIP AND TOOL-KITS

    Posted on January 30, 2023 at 9:18 am

    I’m delighted to announce that this week the Internet Security Alliance will launch its Fixing American Cybersecurity campaign. The campaign is based on three new publications. First ISA’s public policy book Fixing American Cybersecurity: Creating a Strategic Public Private Partnership (Georgetown University Press) [Link: available for pre-release purchase on Amazon] which will be released this […]


    INTERNET SECURITY ALLIANCE TOP 25 HIGHLIGHTS OF 2022

    Posted on January 3, 2023 at 7:26 pm

    Independent research conducted by MIT finds the consensus cybersecurity principles and practices laid out in the NACD-ISA Cyber Risk Oversight Handbooks “demonstrates that organizations that use the consensus principles can significantly improve their cyber resilience without raising costs” and organizations who “follow the principles are predicted to have 85% fewer incidents.” This confirms previous research by PWC. […]


    THE INTERNET SECURITY ALLIANCE (ISA)

    Posted on at 7:25 pm

    ISA’s Mission is to integrate advanced technology with economics and public policy to promote sustainably secure cyber system.  The ISA board, consistits of cyber leaders (typically CISO) from virtually every critical industry sector. Over 20 years ISA has created a comprehensive theory and practice for cybersecurity covering both enterprise risk managment and government policy. ISA’s […]


    MIT Research Documents Effectiveness of Consensus Cyber Risk Oversight Principles

    Posted on November 17, 2022 at 7:19 am

    Geneva, Switzerland/November 16/As the World Economic Forum’s annual Cybersecurity Summit concluded today research conducted by MIT Cybersecurity at MIT Sloan (MIT CAMS) found that the cyber risk oversight principles (consensus principles) developed by the Forum in conjunction with the Internet Security Alliance (ISA) and the National Association of Corporate Directors (NACD) “demonstrates that organizations that […]


    As cyber attacks increase, here’s how CEOs can improve cyber resilience

    Posted on at 6:53 am

    Major Findings · The Cyber Risk Principles developed by the ISA, NACD and the World Economic Forum help drive cyber resilience across industries. · Simulation-aided research from MIT CAMS shows that commitment to and adoption of the Cyber Risk Principles significantly improves cyber resilience. · Results also show that, commitment to these cyber risk principles […]


    ISA PROPOSAL FOR A VIRTUAL CYBERSECURITY NATIONAL SERVICE ACADEMY

    Posted on July 18, 2022 at 11:12 pm

    PREMISE ONE: CYBERSECURITY IS A NATIONAL DEFENSE IMPERATIVE Just as World War II made it apparent that the skies were a unique domain of warfare resulting in the creation of the US Air Force Academy in the 1950s, so, too, have recent events made it clear beyond doubt that cyberspace is now a unique domain […]


    TOP TEN REASONS FOR A VIRTUAL CYBERSECURITY SERVICE ACADEMY (Part 1)

    Posted on May 31, 2022 at 11:27 am

    In a series of recent posts, we have noted the time has come for us to create a national virtual cyber service academy, modeled on our traditional military academies, but updated for the digital age (link). We subsequently detailed the public policy argument for this academy (link) and outlined a governance model for it (link).  […]


    THE CASE FOR A NATIONAL CYBERSECURITY ACADEMY, PART 2

    Posted on at 11:21 am

    EXECUTIVE SUMMARY In our last post we made the case for a national, virtual, cybersecurity academy. In this post we will discuss the key points of our proposal and in our next post we will discuss the advantages of our proposal which we suggest as the only practical way for the USA to quickly, comprehensively, sustainably, […]


    THE CASE FOR A NATIONAL CYBERSECURITY ACADEMY, PART 1: A NATIONAL DEFENSE IMPERATIVE

    Posted on at 11:19 am

                We need to stop talking about the issue of cybersecurity workforce development.  We need to properly frame the issue an imperative for national defense digital mobilization. Just as World War II made it apparent that the skies were a unique domain of warfare resulting in the creation of the US Air Force Academy in […]


    IT IS TIME FOR A NATIONAL CYBER SERVICES ACADEMY

    Posted on at 11:15 am

    Our service academies – West Point, Annapolis the Airforce and Merchant Marine Academies are the ultimate public private partnership. Government offers private citizens high quality education at no cost, and in return the graduates are obliged to provide three years of service to the government, and many stay on well-past that obligation. The system has […]


    INGLIS PROPOSES CYBER SOCIAL CONTRACT: GREAT IDEA! NOW LET’S TALK TERMS

    Posted on February 23, 2022 at 11:55 am

    By Larry Clinton In the latest edition of Foreign Affairs, the US Director for Cybersecurity, Chris Inglis and Harry Krejsa, propose that the government and industry forge a new paradigm – a cybersecurity social contract. Naturally, the Internet Security Alliance applauds this move toward a new paradigm. We do so for two reasons, first and […]


    Regulation of Cybersecurity Has Been Tried and It Doesn’t Work

    Posted on January 21, 2022 at 12:11 pm

    By Larry Clinton The focus of the current series of posts is to suggest the need for new directions in cybersecurity policy.  Put succinctly, it’s not just that we need to do cybersecurity better – it’s that we need to do cybersecurity differently. Why? Because we are getting killed out there. Cybercriminals generate roughly $2 trillion […]


    Playoffs Time: What Can Cyber Policymakers Learn from the NFL?

    Posted on January 17, 2022 at 1:07 pm

    This blog series began by asserting that in the new year, given the obvious ineffectiveness of our current cyber policies it’s time for policymakers to begin focusing on issues that might really matter in terms of creating a sustainably secure system.  We then moved forward to identify two major areas where government could really make a […]


    New Year’s Cyber Resolution: Modernize Cyber Law Enforcement

    Posted on January 14, 2022 at 11:48 am

    By Larry Clinton In this series of posts, we have been arguing that now is a time to rethink our efforts to create a sustainably secure cyber ecosystem.  The core notion of this rethinking would be to, finally, begin focusing more on programmatic changes that will truly impact the security of cyberspace, as opposed to the […]


    New Year’s Cyber Policy Resolution #1: Get Serious About Workforce Development

    Posted on January 10, 2022 at 11:29 am

    By Larry Clinton Last week, we discussed that we needed to make a New Year’s resolution to start talking about things that really matter for cybersecurity. One area that really matters if we’re serious about improving our cybersecurity is addressing the current workforce shortage. We can never create an adequately secure our cyber systems unless […]


    A NEW YEAR’S CYBER RESOLUTION: LET’S START TALKING ABOUT THINGS THAT REALLY MATTER

    Posted on January 3, 2022 at 11:51 am

    By Larry Clinton, President and CEO, Internet Security Alliance I have to say I’m disappointed the language requiring more stringent timelines for reporting cyber events to the government didn’t make it into the National Defense Authorization Act (NDAA). I’m not disappointed because I have strong feelings one way or another about that provision – to […]


    The Coronavirus Pandemic Has Created Novel Cybersecurity Challenges — But It May Also Give Us a Solution to the Cybersecurity Workforce Problem

    Posted on May 7, 2020 at 11:26 am

    By Josh Higgins, Senior Director of Policy and Communications The COVID-19 pandemic has created many new challenges for companies — such as managing a remote workforce, adopting new suppliers and cloud services, and a vastly expanded cyber-threat landscape — as the world works to maintain productivity through primarily virtual means. However, despite all these new […]


    Coronavirus Creates New Insider Cyber Threat and How to Treat It

    Posted on April 6, 2020 at 11:41 am

    Instantaneous, Unplanned, Digital Transformation Creates Massive Cyber Risk By Larry Clinton Insiders are generally identified as the locus of about half of successful cyber-attacks. The 2020 edition of the Cyber-Risk Oversight Handbook published by the National Association of Corporate Directors (NACD) and the Internet Security Alliance (ISA) last month (available free of charge here). identifies the […]


    ISA Board of Directors Offers Cybersecurity Best Practices for COVID-19 Crisis

    Posted on April 2, 2020 at 10:56 am

    The outbreak of coronavirus globally has created a new reality vastly increasing how much business is done online: While this new virtual reality is essential to sustaining business during the pandemic, it is critical that corporate boards are also aware of the increased cybersecurity threat from this intensified, and often unplanned, utilization of technology. As […]


    Top Ten Reasons Why Cybersecurity Is Like Coronavirus

    Posted on March 16, 2020 at 4:47 pm

    By Larry Clinton I’m not saying cybersecurity and the coronavirus are exactly the same. The defining characteristic of the cyber threat is that we have conscious and deliberate actor’s carefully crafting attacks. The coronavirus has no conscience, no plan. At the same time, notwithstanding differences, these domains are both attacks on our cultures, and when […]


    Cyber Principle Two for Boards: Know Your Legal Obligations

    Posted on March 11, 2020 at 10:48 am

    This is the second in a series of blogs distilling the cybersecurity advice for boards of directors contained in the new Cyber-Risk Oversight 2020 Handbook published by the National Association of Corporate Directors and the Internet Security Alliance. By Larry Clinton In 2015, ISA, along with Georgia Tech, the New York Stock Exchange, and Palo […]


    The First Principle of Cybersecurity — It’s Not an “IT” Issue

    Posted on March 2, 2020 at 10:37 am

    By Larry Clinton At last week’s RSA Conference, the National Association of Corporate Directors (NACD) in partnership with the ISA published Cyber Risk Oversight 2020: Key Principles and Practical Guidance for Corporate Boards. This is the third in a series of cyber-risk handbooks ISA and NACD have partnered on since 2014, and like the previous […]


    WHAT I HEARD AT THE G-20 CYBERSECURITY DIALOGUE THIS WEEK

    Posted on February 5, 2020 at 12:47 pm

    WHAT I HEARD AT THE G-20 CYBERSECURITY DIALOGUE THIS WEEK This week I was honored to be one of the 17 outside experts (3 Americans including myself) asked to address the official G-20 Cybersecurity Dialogue in Riyadh, Saudi Arabia. This meeting was designed to assist the G-20 Digital Economic agenda for this fall’s full G-20 […]


    What I’ll Tell the G20 Cybersecurity Dialogue Meeting in Riyadh Today

    Posted on February 3, 2020 at 7:16 am

    By Larry Clinton I’m honored to be one of about 15 outside speakers who have been asked to address the G20 Cybersecurity Dialogue — part of the G20 Digital Economy Task Force — at their invitation–only meeting in Riyadh. I’m delighted that the world’s largest economies are launching an effort to look at our cybersecurity problems […]


    Solarium Commission Off to a Good Start: What’s Next (Part II)

    Posted on January 9, 2020 at 10:30 am

    Cyberspace Solarium Commission Co-Chair Sen. Angus King (I-ME) has “leaked” to us that the Commission is virtually unanimous in the desire to see government process for cybersecurity overhauled. As we discussed in this space yesterday, that is a great, if not exactly novel, idea. But as the old saying goes, every great idea eventually devolves […]


    ISA: Solarium Commission is Off to a Good Start, Now What?

    Posted on January 8, 2020 at 9:32 am

    In 2016 the ISA published a 12-step program for Congress and the new Administration to address the growing cybersecurity threat. Number 4 on the list (after act with greater urgency, spend more money, and understand cybersecurity is not just about IT) was that “Government needed to get organized to reflect the digital age.” Yesterday the […]


    Global Consensus of Industry to Address Cyber Reaches Asia, Is Government Far Behind?

    Posted on October 31, 2019 at 11:42 am

    by Larry Clinton Yes, they are.  While corporate boards of directors worldwide are developing programs to increase own their understanding of the cyber threat and taking action to address it, the government equivalent of corporate boards – legislators, agency heads, and the like – seem content to tell others what to do while not seriously […]


    U.S., German, and Latin American Boards and Cybersecurity: Similarities and Differences

    Posted on October 28, 2019 at 10:00 am

    by Larry Clinton In a field seemingly overpopulated with remarkably similar programs on cybersecurity, the Organization of American States, of all places, will host a unique program at their Washington, D.C. headquarters on November 8. OAS, along with the Cyber Security Council of Germany and the Internet Security Alliance, will discuss the findings of a […]


    WHAT CAN PINK DO FOR CYBER?

    Posted on October 2, 2019 at 8:49 am

    by Larry Clinton I expect virtually everyone who might be reading this blog knows that October is Cybersecurity Awareness month. But I doubt the total number of people in the Unites States who know October is “our” month rises above five figures. Of course, awareness that we have a cyber security problem is virtually unanimous. […]


    SOMETHING TO BE AWARE OF THIS OCTOBER

    Posted on October 1, 2019 at 10:24 am

    by Larry Clinton I have opined in the past, somewhat tongue in cheek, that Cyber Security Awareness Month may be a bit outdated—is there really anyone unaware that we have a cyber security problem in 2019? Perhaps Cybersecurity understanding month is a bit timelier and more needed. However, in the spirit of the cyber season […]


    CYBERSECURITY COMES TO LATIN AMERICA

    Posted on September 30, 2019 at 1:43 pm

    by Larry Clinton On Friday I was honored to provide the closing keynote speech at the Organization of American States’ (OAS) Cybersecurity Symposium in Santiago, Chile. The purpose of the event was to unveil and release the first Cyber-Risk Oversight Handbook for Corporate Boards targeted for the entire Latin American region. The Handbook is part […]


    DHS Taking Steps in the Right Direction on Cyber Risk Management

    Posted on August 12, 2019 at 11:03 am

    by Larry Clinton Perhaps the one thing virtually everyone in the cybersecurity field agrees on is that, notwithstanding many laudable efforts, we are losing the fight to secure cyberspace. Illustrative of this reality, the Director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, Chris Krebs, has wisely commented we need a new […]


    Mandatory Cybersecurity Training for Congress: What Kind of Training?

    Posted on July 31, 2019 at 9:52 am

    by Larry Clinton Last week, the bipartisan Select Committee on the Modernization of Congress issued a list of two dozen recommendations designed to “make Congress more reflective and responsive to the American people.” One recommendation stands out as particularly timely, visionary and practical: “Making cybersecurity training mandatory for Members.” Finally, a cybersecurity mandate that makes […]


    Capital One Breach Highlights the Danger of Insider Threats

    Posted on July 30, 2019 at 1:27 pm

    by Josh Higgins When companies think about cybersecurity threats, they often think of a hacker in some far-off place using sneaky tactics to gain access to their systems. However, Capital One’s announcement Monday of a major data breach highlights another major, yet often overlooked, cyber threat: The insider. Similar to other cyber incidents, the newly […]


    Accountability in Cybersecurity is a Two-Way Street

    Posted on July 29, 2019 at 11:48 am

    The biggest story in cybersecurity this past week was the eye-popping $5 billion dollar (that’s billion with a B) fine the FTC placed on Facebook for not adequately fulfilling its responsibilities to protect its consumer’s data. Probably just as painful to Facebook, and its CEO, as the fine itself is having to publicly acknowledge their […]


    Regulators: Don’t Make the Same Cyber Mistakes Over Again

    Posted on July 19, 2019 at 2:27 pm

    It’s not news that cyber-attacks are increasing both in number and sophistication and that the increasing criticality of the attack methods demands increased attention especially with respect to critical infrastructures. Also, due to the uniqueness of information systems, the speed with which attack methods and technologies change the traditional regulatory model has been deemed to […]


    MAN BITES DOG: State Regulators Want Cyber Reg Reform

    Posted on June 26, 2019 at 1:31 pm

    Yesterday Congressman Cedric Richmond, Chair of the House Homeland Subcommittee on Cybersecurity, Infrastructure Protection and Innovation announced in the wake of the recent ransomware attacks on local jurisdictions like Atlanta and Baltimore that he is going to propose a series of legislative efforts to assist the municipalities because “we can’t expect under-resourced, understaffed, state and […]


    Brush with Greatness: A Chat with a Man Who May Be the Tipping Point Toward Effective Cybersecurity

    Posted on June 21, 2019 at 10:47 am

    by Larry Clinton The greatest cyber risk an organization can have is doing a faulty cyber-risk assessment. This is one of the key insights from Doug Hubbard’s paradigm-shifting book “How to Measure Anything in Cybersecurity Risk”. While in Chicago this week to do a series of Master Classes on the Economics of Cyber Risk for […]


    Corporate Directors Take the Next Step on Cybersecurity: Where’s Congress?

    Posted on June 18, 2019 at 11:27 am

    by Larry Clinton In Chicago this week the National Association of Corporate Directors (NACD) will host the first in a series of nationwide events on the economics of cybersecurity. The courses start with a brief discussion of the now well-known existence of cyber-attacks on enterprises. However, they quickly move beyond the problem and instruct board […]


    We Need Sensible Cybersecurity Regulations – More Is Not Necessarily Better

    Posted on June 12, 2019 at 11:08 am

    by Larry Clinton When the ISA published the Cybersecurity Social Contract three years ago, one of the facts we documented was that some in critical industries were being forced to divert between 30%-40% of their scarce cybersecurity resources to largely redundant regulatory compliance. This fact highlights the twin maladies of undermining efforts to strengthen cybersecurity without improving either […]


    Experts from GE and FIS Help Students Deal with the Inevitable: Cyber Attacks

    Posted on June 6, 2019 at 11:00 am

    Once upon a time, industry experts would caution students and conference attendees that with cyber-attacks, it was not a question of if, but when. That adage has now matured into a more modern version: There are only two types of companies — those who know they have been successfully compromised, and those that don’t know […]


    Cyber Experts Will Help Wharton Students Address the “Most Vexing Challenge”

    Posted on June 5, 2019 at 10:56 am

    The insider threat has become one of the biggest threats in the realm of cybersecurity. Despite the amount of risk posed by insiders, corporate executives often lack the awareness of the threat to adequately address it. That is why the Internet Security Alliance’s upcoming course on cybersecurity at the ABA Stonier Graduate Program at the […]


    The EU Privacy Law is Not Working, But Why?

    Posted on May 30, 2019 at 10:06 am

    by Larry Clinton In 2016 the European Union enacted arguably the most stringent privacy law in the western world. Following a two-year transition, the law went into full effect last May. Although advocates had suggested the stringent penalties in the General Data Protection Regulation (GDPR) would deter individual privacy invasions and reduce market domination from […]


    European corporate boards agree to create European adaptation of Cyber-Risk Oversight Handbook

    Posted on May 28, 2019 at 11:26 am

    by Larry Clinton This week the board of directors of the European Confederation of Directors Associations (ecoDa) agreed to work with the Internet Security Alliance (ISA) on a European adaptation of the Cyber-Risk Oversight Handbook originally published by the National Association of Corporate Directors in the U.S. This agreement indicates further progress that corporate boards […]


    Washington Can Help States Face Cybersecurity Threats by Harmonizing Regulations

    Posted on May 15, 2019 at 12:52 pm

    by Dan Lips The National Governors Association is meeting in Louisiana this week for its biannual cybersecurity summit. An important topic of consideration is how Washington can help state governments by harmonizing regulations. Doing so would let states focus their attention on confronting worsening cybersecurity threats, rather than answering federal auditors. “On any given day, […]


    Congress Needs Training in Cybersecurity — The Right Kind of Training

    Posted on May 14, 2019 at 10:17 am

    by Larry Clinton   Kudos to Representatives Kathleen Rice (D) and John Katko (R) for their bipartisan legislation requiring Members of Congress to receive training in cybersecurity. Give congressional representatives an IT tool and they can secure the nation for a day — maybe. Teach Congress how to truly understand and manage cyber risk and we […]


    U.S.-Japanese Cyber Collaboration Needs to Include the Private Sector

    Posted on May 9, 2019 at 12:26 pm

    by Larry Clinton While much of the attention on President Trump’s upcoming visit to Japan will focus on North Korean nuclear issues, a critical, if under-reported, element of the visit will be to bolster U.S.-Japanese cyber defenses. In a speech to the Hudson Institute last week, U.S. Ambassador to Japan William Hagerty acknowledged the importance […]


    Annual FBI Internet Crime Report Finds $2.7 Billion in Losses in 2018

    Posted on April 29, 2019 at 2:41 pm

    Internet-enabled crime was responsible for $2.7 billion in losses in 2018, according to the FBI’s annual Internet Crime Report. The data confirms industry concerns about growing cybersecurity threats. The FBI’s Internet Crime Complaint Center (IC3) reported an increase in the number of complaints from 301,580 in 2017 to 351,000 in 2018, or more than 900 […]


    Should we start regulating cybersecurity in the supply chain? Not so fast.

    Posted on April 26, 2019 at 11:30 am

    Supply chain has become the hot topic in cybersecurity inside the Beltway in recent months – and for good reason. The British Standards Institution just this week released a new report on the supply chain identifying cybersecurity as one of the greatest security threats within the supply chain. The federal government has also taken notice to […]


    ISA Top 2018 Highlights

    Posted on January 28, 2019 at 9:00 am

    ISA appointed industry co-chair (DHS is government co-chair) of the Policy Leadership Working Group charged by DHS Asst. Secretary for Cyber Security Jeanette Manfra with articulating the details of a Collective Cybersecurity Defense Model the Trump Administration wants to promote for cybersecurity. Policy Leadership Working Group produces a joint government-industry white paper defining the Collective […]


    We need a new approach to cyber risk assessment

    Posted on September 21, 2018 at 12:47 pm

    “Garbage in, garbage out.” For years, cyber risk assessments have often revolved around checklists of standards and practices that IT professionals can use to check off what they’ve done, but that model is insufficient, producing results that are hindering cybersecurity. ISA President Larry Clinton, at the Command and Control conference on Friday, September 21, called […]


    At DEFCON, DHS Gets it Right on Cyber – We Need to Rethink Incentives

    Posted on August 14, 2018 at 10:09 am

    When DHS Assistant Secretary for Cyber Security Jeanette Manfra addressed the hackers at the annual Las Vegas showcase for modern wizardry, she didn’t focus on standards and bots. She talked about how digitization changes everything and the need to look at cybersecurity through an economic lens. She got it exactly right. “For the first time […]


    Happy New Year: We Need a New Approach to Cybersecurity

    Posted on January 2, 2018 at 11:05 am

    By Larry Clinton   We all know we are losing the battle to secure cyber space – badly. Maybe our New Year’s resolution ought to be to recognize this fact and come up with a new approach to the problem. The old ones don’t seem to be working.   Specifically, we should consider moving away […]


    Is it Time to Sunset Cybersecurity Awareness Month?

    Posted on October 2, 2017 at 11:28 am

    Sunsetting Cyber Awareness Month.blog.1017October 2, 2017 By Larry Clinton Raise your hand if you know anyone who is unaware that we have a cybersecurity problem. In a field where we are often desperate for any sign of success, I think we can spike the football on the issue of cybersecurity awareness. Understanding the cybersecurity problem? […]


    Enabling better Cybersecurity Information Sharing with Small and Medium-sized Partners

    Posted on September 1, 2017 at 12:11 pm

    By Jeff Brown “Information sharing” is one of the most powerful tools organizations can use against cyber threats that can erupt without warning and cause disruption worldwide. Once an organization—any organization, whether public or private sector—spots the tell-tale patterns of a new attack, alerting other organizations of these warning signs can help halt the spread […]


    Cybersecurity and the Resilient Mindset

    Posted on July 17, 2017 at 10:37 am

    By Cindy Fornelli If you spend some time around the issue of cybersecurity, it won’t be long before you encounter the notion of resilience. “Cyber resilience is a public good,” observed a 2017 white paper from the World Economic Forum. A 2013 Presidential Policy Directive declared that “it is the policy of the United States […]


    Petya Provides Context for Briefing Council on Foreign Relations

    Posted on June 29, 2017 at 10:00 am

    It appears the dust was just settling from the global impact of the WannaCry ransomware attack when a new culprit Petya (or not Petya) struck. Among the disturbing characteristics of these attacks is their vast international impact. Desperate for a silver lining, this happens to be a great backdrop for my previously scheduled briefing digital […]


    Maintaining Cybersecurity During Mergers & Acquisitions

    Posted on June 27, 2017 at 10:56 am

    Mergers and acquisitions are risky times. Headlines treat the combination of companies as job done after the announcement, but insiders know combining operations is no easy task. These days, add cyber risk to the list of prime considerations companies should weigh before, during, and after any M&A decision. Companies involved in transactions are often prime […]


    Board Directors Need to Have Discussions on Which Risks to Avoid, Which Risks to Accept, and Which to Mitigate Through Insurance

    Posted on June 22, 2017 at 11:06 am

    Total cybersecurity is an unrealistic goal. Cybersecurity is a continuum requiring strategic decision-making about where and how to spend security dollars. Attempting to guard every system equally is a recipe for exhausting the budget on low-priority systems. And it’ll result in bad security, since the company’s crown jewels will lack the sophisticated protections they need. […]


    Directors Need to Set the Standards and Expectations for Management to Establish Well-Staffed and Well-Funded Cyber-Risk Framework

    Posted on June 20, 2017 at 10:44 am

    Much like any response plan, a cybersecurity framework is only successful if it is well-staffed and well-funded. Otherwise, it simply will not be able to adequately handle the stresses caused by a breach. In a world where malware and ransomware are increasing both in frequency and severity – Wannacry, for example, affected 200,000 computers in […]


    Boards Need Access to Adequate Cybersecurity Expertise – And Need to Give it Adequate Time on Meeting Agendas

    Posted on June 19, 2017 at 12:56 pm

    Cyber literacy can be considered similar to financial literacy – not everyone on the board is an auditor, but everyone should be able to read a financial statement and understand the financial language of business. As we all know, cybersecurity is very much a moving target. The threats and vulnerabilities change almost daily, and the […]


    Boards Need to Be Aware of Evolving Cyber-Legal Landscape

    Posted on June 14, 2017 at 10:24 am

    Boards of directors face several versions of risk from cyber breaches. Obviously, there is the risk of loss or manipulation of the data. There is also a risk of reputational loss. However, regardless of the actual data or reputational impacts boards need to be concerned about legal risks that can occur unrelated to the other […]


    HHS Points The Way Forward For Improved Cybersecurity

    Posted on June 12, 2017 at 11:35 am

    Last month President Trump issued an Executive Order on cybersecurity that called on all federal agencies to assess their status on information security and for the leadership to take steps required to mediate threats. Last week the Department of Health and Human Services (HHS) released its Healthcare Industry Cybersecurity Task Force report, which provides a […]


    Cybersecurity Principle Number 1 for Boards – It’s Not Just About “IT”

    Posted on June 2, 2017 at 12:07 pm

    It has now become clear that cyber-risk needs oversight at the board of directors level. The problem is that most corporate boards are comprised of “digital immigrants” — people not born into the digital world they now inhabit — and therefore need to learn how to understand cyber-risk. That educational process has been undertaken by […]


    Metrics? What Metrics? Finding the Missing Link to the NIST Cybersecurity Framework

    Posted on May 31, 2017 at 11:00 am

    The NIST Cybersecurity Framework (NIST CSF) is one of the cornerstones – and most popular features – of US government policy to strengthen our nation’s cybersecurity. The hottest topic at the recent NIST workshop aimed at updating and refining the CSF was the development of metrics. Many experts believe that for the CSF to properly […]


    Reform the Defense Supply Chain to Face the Realities of Conflict in the Digital Age

    Posted on March 7, 2017 at 11:04 am

    For centuries, we’ve operated under the principle that nations are sovereign within their own borders, with traditional rules of war clearly stating that combatants need to be identifiable military targets. Acting on this principle, a functioning government has traditionally had to raise a force more powerful than any potential rival, either internally or externally, when […]


    Why Isn’t There An Academy Awards Ceremony for Cybersecurity

    Posted on February 27, 2017 at 11:20 am

    Let me spare you the suspense, because we don’t deserve one. Most people who have become aware of cybersecurity in the past few years think we are talking about credit cards, passwords, and firewalls. Really? I give these rookies a pass. The real fault lies which those of us, including myself, who have been toiling […]


    Seven Basic Cybersecurity Measures As Revealed By Wisdom Of The Crowd

    Posted on February 21, 2017 at 4:52 pm

    Individual experts offer good advice, but when many people agree on practical steps necessary for better cybersecurity, their consensus carries more weight, at least so long as cybersecurity lacks outcome-based, objective metrics. Accordingly, here are the most important things small and medium-sized organizations should do, according to a survey the Internet Security Alliance did of […]


    Movement in the Right Direction on Cyber Security

    Posted on January 30, 2017 at 11:24 am

    While the bulk of mainstream news coverage on cyber issues has been focused on macro issues such as Russian involvement in our electoral process, there have been less noted initial signs of progress on the more traditional cyber concerns such as the protection of critical infrastructure, theft of intellectual property and securing of personal data. […]


    Cybersecurity Takes its Place in the Boardroom

    Posted on November 30, 2016 at 11:54 am

    Those recognized by the National Association of Corporate Directors in its annual compilation of 100 most influential individuals and organizations have achievements in fields such as governance, transformation or oversight. Cybersecurity hasn’t typically figured among them – until recently. NACD is recognizing Internet Security Alliance CEO Larry Clinton for the second consecutive year in its […]


    10 Cheap Tricks to Improve Our Cybersecurity: Part I

    Posted on September 6, 2016 at 12:36 pm

    On September 15, 2016, the Internet Security Alliance will publish a 400 page, 17 chapter, book containing 106 recommendations for the incoming Administration and Congress. One of the recommendations is that, frankly, we need to invest more in cyber defense. We are chasing a $500 billion to $1 trillion dollar a year issue with about […]


    IMPACT OF BREXIT VOTE ON CYBER SECURITY: Private Sector Needs To Act Responsibly

    Posted on June 25, 2016 at 12:31 pm

    While I don’t see, much if any, short term operational impacts to cyber security from the Brexit vote, I do think the vote underlines the need for the private sector develop strong partnerships to secure the cyber systems they own and operate independent from government structures. I feel pretty sure not a single UK voter […]


    The Next Administration Needs To Pick Up The Pace

    Posted on May 27, 2016 at 12:40 pm

    By: Larry Clinton, CEO/President THE NEXT ADMINISTRATION NEEDS TO PICK UP THE PACE – A LOT – ON CYBERSECURITY The Pentagon’s 2015 annual report says that most DoD systems are subject to low to mid-level cyberattacks and our defense systems are basically subject to compromise whenever an adversary chooses to do so. If the world’s […]


    Government Needs To Get Its Own Act Together With Respect To Cybersecurity

    Posted on May 20, 2016 at 5:00 am

    By: Larry Clinton, CEO/President Last week, I commented that given we have spent much of the last decade developing a consensus on an overall approach to cybersecurity as articulated in both the House GOP Task Force on Cybersecurity and President Obama’s Executive Order 13636, the one thing we don’t need from the newly appointed President’s […]


    Dear Cyber Commission, We Don’t Need a New Plan

    Posted on May 13, 2016 at 5:00 am

    By: Larry Clinton, CEO/PRESIDENT A wise person once said every great plan eventually dissolves into actual work. What we need right now is actual work on cybersecurity. We have spent much of the past decade, and particularly the last 5 years, coming to a consensus on the best approach to improve our overall cybersecurity. Back […]


    Major Indian Trade Group Seeks Alliance with ISA

    Posted on July 11, 2014 at 3:53 pm

    In November of 2013, Larry Clinton, the President and CEO of the ISA, traveled to India to speak about cyber security issues in the international context. Mr. Clinton traveled to Chennai, India where he spoke with T. K. Ramachandran, a member of the board of governors and the secretary of the ICT Academy of Tamil Nadu […]


    DHS Under Secretary Spaulding inserts ISA recommendations on cyber risk into new National Infrastructure Protection Plan

    Posted on June 12, 2014 at 3:02 pm

    The National Infrastructure Protection Plan (NIPP) established a strategic direction for coordinating the nation’s critical infrastructure protection and resilience initiatives. The new National Plan built on the previous Plan from 2009, and reflects major changes in risk, policy, and operating environments, reflecting “a significant evolution in critical infrastructure risk policy.” This evolution reflects movement toward […]


    White House Releases “Cyber Space Policy Review” — ISA is Most Cited Source

    Posted on June 11, 2014 at 5:20 pm

    Released in 2009, the Cyber Space Policy Review was the Obama Administration’s assessment of U.S. policies and structure for cybersecurity. Drawing heavily from the Internet Security Alliance as a resource, the paper outlined a path forward to creating a reliable and resilient digital infrastructure. Covering resources including the Cyber Security Social Contract, white papers, and […]


    ISA Hosts Conference on Cyber Security at White House Featuring DHS Secretary

    Posted on at 5:13 pm

    The Internet Security Alliance hosted an invitation-only event at the White House on economic issues related to cyber security featuring DHS Secretary Janet Napolitano. The session allowed guests to engage with the DHS secretary in a robust question and answer session in a more intimate setting. The DHS Deputy Under Secretary for Cybersecurity for the […]


    ISA takes Lead Role in Construction of NIST Framework

    Posted on at 4:58 pm

    In response to the February 2013 executive order released by President Obama, titled “Improving Critical Infrastructure Cybersecurity”, the National Institute of Standards and Technology (NIST) has undertaken the vital task of developing a new set of guidelines and standards to promote better cyber security practices in both the public and private sector. Known as the […]


    Obama’s Cybersecurity Executive Order 13636

    Posted on at 1:37 pm

    In February 2013, President Obama issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity, which formalized the Administration’s adoption of principals proposed by the Internet Security Alliance. The Executive Order departed from the regulatory model that the Administration previously embraced that would have granted the Department of Homeland Security extensive authority to mandate cyber security standards […]


    NACD Asks ISA For Best Practices Guide

    Posted on June 10, 2014 at 4:49 pm

    <h3>NACD asks ISA to create best practices guide for corporate board of directors</h3> The National Association of Corporate Directors (NACD) asked ISA to put together a guide of best practices for corporate directors. With input from the ISA Board of Directors, and in close collaboration with AIG, ISA was tasked to identify best practices in […]


    ISA Criteria For Assessing The Cybersecurity Exec Order

    Posted on February 20, 2014 at 1:40 pm

    Click Here for Full Document   EXECUTIVE SUMMARY – ASSESSING PRESIDENT OBAMA’S EXECUTIVE ORDER ON CYBER SECURITY Upon realizing that comprehensive cyber security legislation to address the nation’s growing cyber security problem was unlikely to pass the Congress, President Obama issued an Executive Order on the subject in February 2013. The Order marked a watershed moment […]


    Media Asks ISA To Comment On WH Cyber Order

    Posted on October 11, 2013 at 12:41 pm

    ISA on CNBC On February 13, 2013, following the release of the Obama Administration’s Executive Order, CNBC’s “Power Lunch” asked ISA President Larry Clinton to appear on the show to discuss how the Executive Order will impact the private sector and solicit ISA’s view on its implications.  To watch the segment, please proceed to ISA […]


    “Cyber Czar” Praises ISA on Health Care Program

    Posted on July 5, 2012 at 3:00 pm

    In an unusual move, the White House’s cyber security lead, the so called “Cyber Czar,” Howard Schmidt joined the ISA, ANSI, and the Santa Fe Group at the National Press Club  for the launch of the ISA’s most recent publication in its Financial Risk Management Program: “The Financial Impact of Breached Protected Health Information – […]


    ISA Testimony Leads To Bipartisan Cyber Incentives Effort

    Posted on at 2:27 pm

    ISA’s long-standing efforts to create an economically viable and sustainable approach to cybersecurity reached a milestone following an unusually collaborative and non-partisan hearing before the House Energy and Commerce Subcommittee on Communications and Technology on February 8, 2012. After the hearing, Chairman Greg Walden (R-OR) and Ranking Member Anna Eshoo (D-CA) formed a bipartisan Task […]


    ISA Leads Effort W/DHS To “Reboot” Ind-Govt Partership

    Posted on at 2:06 pm

    Since the crafting of the National Infrastructure Protection Plan (NIPP), the ISA has taken a lead role in seeking a viable partnership between government and industry to address the unique problems in defending integrated cyber systems against increasingly sophisticated attacks. ISA outlined a re-drafted model in its Cyber Security “Social Contract” (2008) and “Social Contract […]


    ISA Briefs FDIC On ISA’s Financial Cyber Risk Program

    Posted on at 2:02 pm

    Starting in 2006, the ISA began its program on the Financial Management of Cyber Risk, which resulted in the first of its publications on this subject: “The Financial Impact of Cyber Risk – 50 Questions Every CFO Should Ask.” ISA’s and follow-up publication, “The Financial Management of Cyber Risk – An Implementation Framework for CFOs,” […]


    ISA and Michael Chertoff Keynote World Nuclear Security Event

    Posted on at 2:00 pm

    The World Institute of Nuclear Security (WINS) contacted the ISA in late 2011 for assistance in developing an incentive-based model for nuclear facility security that is global in scale. In conjunction with this request, ISA President Clinton, along with DHS Secretary Michael Chertoff, was asked to keynote the WINS international nuclear security conference in Vienna, […]


    ISA Briefs Congress On Information Sharing

    Posted on at 1:55 pm

    Information sharing is one of the most important tools in implementing a sustainable system of cybersecurity. However, the traditional information sharing models have been proven generally to be of limited effectiveness in that many organizations cannot devote the resources to participate in an Information Sharing and Analysis Center (ISAC) and because many of the traditionally […]


    ISA Briefs NATO Cyber Centre For Excellence

    Posted on at 1:52 pm

    While many of ISA’s member companies are U.S.-based, virtually all of them are multi-national and operate internationally. Because of this and the nature of the problem, itself, ISA has always taken an international approach to cybersecurity (2 of the past 5 ISA Board Chairs have hailed from European headquartered organizations). Shortly after ISA reiterated and […]


    ISA Releases Cyber Supply Chain Roadmap

    Posted on at 1:50 pm

      The ISA launched its first supply chain program in 2005, in conjunction with ISA Founding Partner Carnegie Mellon University. Since then, ISA has released a series of reports on managing the IT supply chain for security purposes with ever greater specificity. In 2007, ISA released its report with Carnegie Mellon on the nature of […]


    House GOP Task Force Report On Cybersecurity Adopts ISA Recommend

    Posted on at 1:47 pm

    In the 112th Congress, a high-level task force convened by House Speaker John Boehner (R-OH) endorsed the approach laid out by ISA in the Cyber Security Social Contract. When the House GOP Task Force on Cyber Security convened, ISA was the first witness called to provide recommendations.The House Republican Task Force Report on Cyber Security, […]


    ISA Hosts White House Event on Cybersecurity And Economy

    Posted on at 1:40 pm

    On June 6, 2012, the Internet Security Alliance hosted an invitation-only event at the White House on economic issues related to cyber security. DHS Secretary Janet Napolitano was the featured speaker, providing opening comments and engaged the invited guests in an open and robust question and answer session. Mark Weatherford, the DHS Deputy Under Secretary […]


    Transcript: Is The Web Becoming Less Secure? – PBS News Hour

    Posted on December 12, 2010 at 2:13 pm

    In the wake of the Gawker Media hacking over the weekend, Jeffrey Brown gets a wider perspective about the vulnerability of online information and the danger of further cyberattacks from James Lewis of the Center for Strategic and International Studies and Larry Clinton of the Internet Security Alliance. To view the video of this exchange, […]