Hathaway joins a distinguished group of highly respected and accomplished people who have quit the position of Cybersecurity Czar. She wasn’t even the actual Cybersecurity Czar, she was just the acting one, but it appears even that was too much to take for her. She cited personal reasons for resigning, but media reports suggest a more plausible reason for resigning – frustration at “spinning her wheels” and not being able to accomplish anything. Sounds familiar, doesn’t it.Whether you are a Cybersecurity Czar or a CISO, the challenges for this position are very similar.
Every month or so, news events (attacks on government sites, massive privacy breaches, etc.) provide a ‘wake-up call’... a proof point used by vendors and practitioners alike that protecting our national and corporate information assets has never been more critical. On occasion we even see these incidents yield promises of action, for example the anticipated appointment of a US Cybersecurity Czar, which my colleague Khalid Kark discusses here.
But in spite of these warnings, my conversations with enterprise risk and IT risk professionals still reveal many disconnects, including that IT risks are not measured consistently with other enterprise risks. In addition, many IT risk professionals do not see their biggest risks showing up on the corporate risk register.
Bill Brenner at CSO recently wrote an interesting piece highlighting the urgency of having a cybersecurity leader. Although I do not agree with him that the simple DDOS attacks on government Websites could have been prevented by having a Cybersecurity Czar, I do agree with him that we need a cybersecurity leader – now!
We all rejoiced when President Obama ordered a 60 day cybersecurity review shortly after taking office. We were all excited when, on May 29th, a report summarizing the findings of the cybersecurity review was released and the president declared cybersecurity as a national security priority for his administration, and a personal goal for him.