A few days ago, my colleague Chris McClean asked the excellent question, "Is Risk Management Compatible with ERM?" I saw the headline come across my RSS reader and I thought, "Cool! I'd love to read what Chris thinks about enterprise rights management," a technology that I cover as part of my data security coverage. I'd advise you to read his post, which is excellent.
Every month or so, news events (attacks on government sites, massive privacy breaches, etc.) provide a ‘wake-up call’... a proof point used by vendors and practitioners alike that protecting our national and corporate information assets has never been more critical. On occasion we even see these incidents yield promises of action, for example the anticipated appointment of a US Cybersecurity Czar, which my colleague Khalid Kark discusses here.
But in spite of these warnings, my conversations with enterprise risk and IT risk professionals still reveal many disconnects, including that IT risks are not measured consistently with other enterprise risks. In addition, many IT risk professionals do not see their biggest risks showing up on the corporate risk register.
I attended a Cisco Systems briefing early this week about its Smart Connected Communities initiative. Once again Cisco demonstrated its forward thinking by bringing together various government initiatives under the umbrella of what they call Smart Connected Communities. A Smart Connected Community is built on IP-based infrastructure. This means that all of the critical components of a city infrastructure like utility, transportation, healthcare, commercial buildings, and emergency response systems connect via an IP-based network.
Overall, it was a good update briefing. But I was surprised to hear just how confident Cisco is that securing this networked infrastructure is a no brainier. When I asked the presenter: “Given that network infrastructure is not nearly as robust and secure in some emerging geographies, how are you planning to ramp up the backbone and make the network secure enough end-to-end to run smart services?”
Bill Brenner at CSO recently wrote an interesting piece highlighting the urgency of having a cybersecurity leader. Although I do not agree with him that the simple DDOS attacks on government Websites could have been prevented by having a Cybersecurity Czar, I do agree with him that we need a cybersecurity leader – now!
We all rejoiced when President Obama ordered a 60 day cybersecurity review shortly after taking office. We were all excited when, on May 29th, a report summarizing the findings of the cybersecurity review was released and the president declared cybersecurity as a national security priority for his administration, and a personal goal for him.
I came across an interesting article discussing how the U.S. Department of State has recently shown interest in adopting network access control (NAC) tools that perform pre-admission access control. The intent is driving the development of standards that help organizations secure their network from malicious hacker attempts. There is a mounting concern that the nation's critical infrastructure — ranging from the electricity grid to banking systems to defense contractors — is far from being secure. To this end, the SANS (SysAdmin, Audit, Network, Security) Institute has worked with security professionals both inside and outside of government agencies to develop the Consensus Audit Guidelines. There are 20 controls in this program to tackle cybersecurity issues. NAC is identified to help with “Critical Control 12: Malware Defenses.”