Congress is near to passing a bill that emphasizes that federal agencies consider buying security that is baked into hardware and software. Additionally, this potential bill (probably to be introduced next year) establishes an executive cyber office in the White House and calls for continuous monitoring. My first reaction is that this bill is great and long overdue given the growing number and complexity of cyber attacks foisted on government entities and enterprises with “high value assets”.
While the words ring true, I have to stop and wonder if this initiative is enough, or merely a compromise. My reaction as a businessman is that it is great to have security and continuous monitoring built in to protect against cyber attacks. For many cases, this type of security is probably acceptable as a good baseline. Yet, as an executive in the security business, I see the problem as more complex. Can security be “standardized” or do you need to understand the complexity of security in the context of the application and the type of assets and applications you need to protect? I believe that it is the latter.
The industry clearly must champion the cause whereby security is heightened in the decision process of buying hardware and software and in the management of the IP networks which are the lifeblood of business.
In a recent survey we conducted with Government Security News Magazine, 80% of those surveyed felt that one company could not provide all the cyber security needs. Additionally, more than 60% indicated that they don’t have adequate skills necessary to manage security. So in addition to the bill – which is a great start – the industry must make buyers aware of the options at their disposal. Moreover, if we are to really make progress in our collective effort to combat cyber threats, participants in the industry will need to provide a more comprehensive plan and more robust tools that complement security that is built into software and hardware. By way of analogy, think about integrated stereo systems e.g. boom boxes, vs. a specially designed audio system tuned to the uniqueness of the environment. In cyber security, especially in protecting carrier, government, and high value infrastructures, I believe we need the custom version or at least “customerized” version of security.