Ground rules: the role of governments in cybersecurity

CISO_avatar_governmentYou know an issue is of global importance if a major national leader emphasizes it in his most widely broadcast speech of the year. So when President Barack Obama in his recent State of the Union address mentioned the need for better cybersecurity at home and abroad, it was an indication that IT threats—and how governments handle them—are a growing area of concern.

“No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids,” Obama said.

The theme of this portion of the speech could be called uncertainty—both the uncertainty inherent in the realm of cybersecurity, where the most heinous antagonists operate behind the digital curtain, hidden somewhere around the world, and also the uncertainty associated with legislation addressing the matter, which for many countries is still in a developmental stage.

Security executives that the IBM Center for Applied Insights interviewed for its 2014 CISO Assessment echoed this sense of unpredictability. Given a list of ten potential cybersecurity outcomes, our interviewees, who spanned four continents, were most unsure about whether governments will handle security governance on a national or global level and how transparent they will be in doing so. A mere 22 percent of them think that a global approach to combating cybercrime will be agreed upon in the next three to five years, a statistic that offers more questions than answers.

One thing that can be agreed upon is that no matter what happens in terms of cybersecurity legislation, it will likely have a resounding impact on business. Nearly 80 percent of respondents said the challenge from regulations and standards has increased over the past three years. Moreover, about half said “regulations and standards” would be one of the top areas consuming organizational effort in coming years, making it the second highest demand for a security team behind external threats.

CISO 2014 Study – http://www.ibm.com/ibmcai/ciso
CISO 2014 Study – http://www.ibm.com/ibmcai/ciso
CISO 2014 Study – http://www.ibm.com/ibmcai/ciso
CISO 2014 Study – http://www.ibm.com/ibmcai/ciso

So how do you prepare for something of such undetermined nature? Opening a dialogue with your most strategic points of contact is a good way to start. Even though three-quarters of security executives listed customer privacy as increasingly a topic of discussion among their business leadership, a mere 9 percent considered the chief privacy officer (CPO) as a top strategic partner and only 14 percent considered their general counsel as such.

These are troubling stats. As world leaders continue to demand increased legislation around IT security, the gap between a company’s legal and security departments should shrink. Enterprises should stay tuned to the many potential shifts in regulation and be prepared to make the adjustments to adhere to them.

“Neither government nor the private sector can defend the nation alone. It’s going to have to be a shared mission — government and industry working hand in hand,” Obama said in an appearance earlier in January. Some companies appear to already be contributing to that front; our study showed that 43 percent of companies already share threat information with government agencies. Within the United States, this number may increase in the near future: Obama signed an executive order earlier this month that encourages and facilitates information sharing between the public and private sectors.

Other economic giants are imposing new standards as well. In January, the Chinese government enacted regulation requiring IT companies to reveal source code of the services that they provide to banks. Last November, India announced plans for an increased cybersecurity budget that will, among other initiatives, fund the creation of a National Cyber Coordination Centre. United Kingdom Prime Minister David Cameron is reaching across the pond in an agreement with the United States to fortify the countries’ collective infrastructure and share more information. Regulatory shifts abound as governments seek a more proactive role in thwarting cybercrime.

For more insights on the state of cybersecurity and the role of security leaders, read the full 2014 CISO Assessment, which explores pressing issues in today’s security landscape and suggests actions to address them.