The tech industry has adopted a philosophy where cybersecurity is often an afterthought when building new products, which Internet Security Alliance leader Larry Clinton says could put the U.S. at a disadvantage when the economy starts to recover from the COVID-19 pandemic.
“We will be going gangbusters to recapture the economy because we have lost enormous amounts of economic value,” Clinton said in an episode of IT-ISAC’s “Firewall Chats.” Clinton doesn’t have a crystal ball into when the pandemic will end, but he says, “We are going to lose even more before we are finished.”
When things improve, Clinton said, “There’s going to be a tremendous drive to recapture” what we have lost economically, and the recovery will use “technology to try push economic growth and productivity.” However, this drive could mean “we tend to forget about security because it is seen as slowing down and cutting down on efficiency. As the processes intensify so we are making this catch up, I think that we will be more lax when it comes to cybersecurity,” he said.
Larry Clinton, President, Internet Security Alliance
Clinton spoke on the latest episode of IT-ISAC’s podcast this week with IT-ISAC executive director Scott Algeier on how industry can work with government to promote more investment in cybersecurity practices that will actually improve resiliency.
“We’ve developed much better methods for cyber risk assessment,” Clinton said. For a long time, we didn’t have good methodologies to do cyber risk assessment. We had instead enormous lists of requirements like the NIST framework and ISO framework. Basically, corporations went through and checked the box but none of these were ever tested to see if they impact security.”
Clinton points to Factor Analysis of Information Risk and X-Analytics as two examples of tools where organizations can “ take these frameworks and repackage them in a coherent mechanism which allows organizations for the first time to understand their cyber risk on an empirical and economic basis so they can do a much better job of determining their risk appetite and calibrating their cyber risk assessment to their unique cyber risk so they can do a much more cost effective mechanism for transferring their risk.”
There should be “much more of a collaborative process with government” to address cybersecurity risks, Clinton said, but he thinks “more regulations” are not need “because frankly [government agencies] don’t know how to regulate in this space for the most part.”
“The private sector is infinitely larger, has more resources, more people so of course the private sector knows more about cybersecurity than the government does,” Clinton said. “We need to be working together to have a stronger, more unified collective defense.”
Right now, Clinton said there isn’t an incentive to “compensate people for building secure products and because we don’t compensate people for building secure products we don’t teach coding in most schools. The [current] coding economic model is to get your product to market fast, fix it later with updates and patches. There is no incentive to provide security on the front end.”
Clinton pointed to ISA’s work with the National Association of Corporate Directors to develop a “handbook” for corporate boards on managing cyber risks to reflect current threats and the latest “best practices” as one idea that should be replicated in government.
In the third iteration of the handbook, the two organizations outline five guiding principles behind cyber risk management and provide tools to address insider threats, oversight of incident response, and third-party and vendor risks. The report gives guidance on “new management methods to measure cyber risk in empirical and economic terms.” -- Sara Friedman (firstname.lastname@example.org)