Cybersecurity and the US State of the Union: Expert Insights 

 

Jo Stewart-Rattray, Australia

Jo Stewart-RattrayJo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, FACS CP, chair of ISACA’s Professional Influence and Advocacy Committee and director of information security and IT assurance at BRM Holdich

Whilst it is rare for a US President to make reference to an IT-related issue as part of the State of the Union address, it is not surprising, given the focus that the world has on cyberattacks. It is not just the US—other world leaders are also facing, square on, the issues related to cybersecurity and the role it plays in social unrest. If we look, for instance, to the Umbrella Uprising in Hong Kong, businesses and government agencies were hit with a veritable cyber storm as part of the social unrest that hit the island state. I was keynoting at an information security summit at that time, and as the summit progressed, more and more CISOs and CIOs left to attend to the cyber hits on their businesses—in some cases, having to invoke disaster recovery and business continuity plans.

Giving consideration to this, it is reasonable to assume that social unrest, and the cyber activities related to it, could be the new global pandemic.

The Australian government is in the process of reviewing its entire cybersecurity strategy. These instances of world leaders focussing on these issues at this time are obviously not coincidences. There may very well be intelligence that makes it an imperative.

ISACA has recognised the shortage of appropriately skilled and credentialed professionals and practitioners to deal with the cybersecurity issues that businesses and governments are facing. To that end, as part of its Cybersecurity Nexus (CSX), ISACA has developed a range of resources together with certification and certificate programmes for cybersecurity professionals and practitioners—no matter where they may be on their career continuum. It also engages with world experts and luminaries to develop appropriate pragmatic research initiatives. As such, ISACA is the only global professional body that can be seen as a one-stop provider of cybersecurity resources.

Christos K. Dimitriadis, Greece

Christos K. DimitriadisChristos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, member of ISACA’s Strategic Advisory Council and group head of Information Security, Compliance and Innovation for INTRALOT GROUP

The importance of cybersecurity is rapidly emerging, due to the evolution of the cyberthreat landscape combined with the increasing cyber dependency of the public and private sector, to a more complex, interconnected and globalized information technology. Governments are revisiting their cybersecurity strategies and realizing the need for strengthening public-private cooperation, information and knowledge sharing, critical infrastructure protection, as well as investing more in addressing the global need for skilled cybersecurity professionals.

ISACA, as a global association that helps the public and private sectors, as well as IT and cybersecurity professionals, in creating trust in and value from information and information systems, has focused on providing more cybersecurity resources in recent years. This gave birth to the Cybersecurity Nexus (CSX) that shapes the future of cybersecurity by providing training and certifications, guidance for implementing cybersecurity in practice, as well as a community for exchanging knowledge and information in cybersecurity matters.

Studies, including ISACA’s own 2015 Global Cybersecurity Status Report conducted in January 2015, indicate a huge shortage in cybersecurity professionals, lack of enterprise readiness to address cyberattacks and the financial impact reaching hundreds of billions dollars worldwide. ISACA, through CSX is positioned to provide value through a holistic approach that introduces the governance of enterprise IT, audit, and compliance aspects to the cybersecurity-specific knowledge that it offers. This provides a unique benefit to professionals and businesses that need to avoid silos and collaboratively address the sophistication of the modern cyberthreats that exploit vulnerabilities at a technical, procedural, cultural, organizational and human level.

John P. Pironti, USA

John P. PirontiJohn P. Pironti, CISA, CISM, CGEIT, CRISC, CISSP, ISSAP, ISSMP, President of IP Architects

Cybersecurity is now a top of mind issue, and cyber activities are critical and essential to the economies, critical infrastructure and business activities of the world. By addressing cybersecurity in the State of the Union, President Obama is acknowledging the fact that cyber infrastructure is now part of the critical infrastructure and needs to be appropriately protected in order to properly protect the country and the health, well-being and prosperity of its citizens.

As cyber activities have grown in importance and sensitivity, cyber adversaries have also grown in their motivations, capabilities and opportunities. The barrier to entry for the cyber adversary “hacker” has been lowering dramatically and quickly, while the population of trained and capable cybersecurity professionals is still far behind the numbers required to effectively counteract this emerging threat. It is important to bring these two back into balance to ensure the impacts of the attackers’ activities can be minimized and controlled.

Information is power. Through Cybersecurity Nexus (CSX), global association ISACA empowers cyber security professionals and organizations with skills, knowledge and capabilities from the lowest level of technical insights to the highest level of strategic program development and governance.

Marc Noble, USA

Marc NobleMarc Noble, CISM, CGEIT, Cybersecurity Practices Manager, ISACA

The issue of cybersecurity has become so important that US President Barack Obama is devoting a segment of his 2015 State of the Union address to the topic. Previous presidents have also become more focused on IT issues, and the reasons are quite clear: the world economy has become dependent upon open, clear and secure communications channels for commerce. Additionally, cybersecurity is seen as a bipartisan issue and both sides agree that something needs to be done. Recent hacking attacks on Sony, Home Depot and Target have raised concerns in the administration that we need additional action to protect our financial and critical infrastructure components.

President Obama is proposing three changes: (1) legal protection for companies that share cyberthreats information; (2) criminal sale of botnets and financial information; and (3) Update RICO (the US Racketeer Influenced and Corrupt Organizations Act) to apply to cybercrime.
President Obama’s proposed legislative changes seek to enhance information sharing by offering liability protection to companies that provide information in near-real-time to the government. To protect industry and consumers, the legislation requires companies to strip it of any personal data. While trying to meet the objections of past legislative initiatives on the issues of industry and privacy advocates, concerns still exist on how intelligence agencies may have access to information shared with the US Department of Homeland Security, particularly after the disclosures by Edward Snowden. By creating a single data breach standard of 30 days when personal information has been compromised, garners support from many companies but the issue of what constitutes a breach required to be reported may still be under debate.

The proposed legislation provides broader powers to investigate and prosecute cybercrime to law enforcement in focusing on the sale of botnets used for the theft of personal data and the sale of financial data in cybercrime. One of the more controversial aspects of the proposed legislation is the update of RICO to include cybercrime. There is concern by critics that tying RICO, which is broad and vague, to the US Computer Fraud and Abuse Act, which is also broad and vague, may be dangerous to computer users who may be caught up in benign offenses.

The development of well qualified cybersecurity professionals has become a resounding issue since there is a dire lack of these skilled professionals to meet the demands of industry and government. With an unemployment rate of approximately 2 percent, there is a critical shortage of professionals in the cybersecurity field. The need for cyber professionals is growing exponentially along with the growth in networks and applications that are proliferating among the public. The business mantra of speed to market and convenience of use for products exacerbates the needs of securing both the networks and the applications that are placed on them. Unfortunately, speed to market often leads to a lack of diligence in meeting the need for security and privacy that customer expect. IT and the Internet have become so ubiquitous in our daily lives that our political leaders find it necessary to focus on the issue of securing networks that we rely on in commerce and national security.

We must continue to focus on constant and consistent improvement in our global security posture. Many entities have neglected to build in the robust security and privacy features that are necessary to protect financial and privacy information.

ISACA’s role as a leader in training and certification in IT through its array of resources including the Cybersecurity Nexus (CSX), COBIT and its highly respected certifications provides a key educational advantage to those who manage and lead in the business, IT and cybersecurity fields. CSX is working to meet the needs of the cybersecurity professional from the beginning of their careers to their evolution into leadership roles. New initiatives such as the course on implementing the NIST Cybersecurity Framework provide professionals opportunities to stay current on the most up-to-date thinking on securing an organization.