There Is No Finish Line for Cybersecurity

Increased connectivity means increased vulnerability. People can easily be tracked from their mobile phone or Fitbit and have not only that device but also their car, watch and TV infected.

Withcloud and Internet connectivity touching everythingfrom light bulbs, alarm systems, appliances, planes and pacemakers, the attack surface can only expand.

数字通信将添加功能和控制，但也会创建新的漏洞。立即想到执法的e-zpass以给您超速票。或者而不是删除或释放被盗数据，下一个波将仅改变数字数据以危及其完整性。更进一步，恶意软件可以嵌入仓库传送带或旋转木马的可编程逻辑控制器的芯片中 - 见Stuxnet virus— that could disrupt an entire supply chain.

The increased connectivity means it’s time for a new approach to combating cyberthreats. It’s impossible to have central control over every connection. An analogy is the development that occurred in financial institutions in the late 1990s, when chief risk officers, faced with command-and-control structures that could not reach every employee or function, adopted a new paradigm in which everyone in the organization was responsible for his or her own steps. Cybersecurity is an ongoing risk that needs to be managed by everyone, so that when bad events happen, we are all better prepared to assess them and execute a response plan. A cyberwellness program that fosters a proactive collaboration with the firm and each employee and vendor should have four specific objectives:

The first objective of cyberwellness is to prepare and protect the firm. It starts with an adaptive defense similar to how predictive weather data enables coastal areas to initiatepreventive measures in advance of a hurricane. Intelligence and threat assessment data should be used to create active learning scenarios to enhance employee cyberknowledge and training.

Also needed is an effective governance structure to ensure that the firm, affected employees and vendors implement a coordinated vulnerability management program that supports the business strategy. Employees and vendors need to understand that the continuity of operations is their responsibility, and that the onus of developing a response plan and safeguarding company assets falls on them.

The next objective is the ability to detect threats and defend the firm. And, last, the company needs to be able to respond and rebound from cybersecurity failures. This necessitates a predefined set of security incident response plans that can be implemented just after a security attack, rather than being developed on the fly.

Firms that really get it on cybersecurity have adaptive cultures. When firms make missteps on this front, they become textbook examples of what not to repeat. A cybersecurity program conducted in isolation from the day-to-day operating environment, which is the case at most firms today, will not work. A culture of cyberwellness needs to become a strategic focus embedded in day-to-day operations and the core values of the firm to deal effectively with the new threat environment.

David Martin is co–managing director ofCybX, a cybersecurity consulting firm, in New York.

Get more ontrading and technology.