So does regulation have a downside? Its promised upside is clear enough: an analogue of public health and public safety measures, transposed to cyberspace. In a keynote that opened the proceedings at Johns Hopkins this week, Dr. Phyllis Schneck, Managing Director of the Global Cyber Solutions practice at Promontory Financial Group, began by drawing attention to the well-known principle that compliance isn't sufficient for security, still less synonymous with it.
She offered regulation of personally identifiable information (PII) as an example of regulatory insufficiency. PII is widely regulated, but there is a wealth of other types of data that aren’t, and which, when aggregated, can be at least as revelatory as what we commonly think of as PII. Information such as location data and buying habits, for example, can be just as valuable to an attacker as it is to the companies that collect the data.
One of the problems with regulation, she said, is that it shows the bad guys what you’re not doing, so they can invest their time and money into targeting areas that are unprotected. Attackers will always be ahead, because defenders have laws that restrict their actions. Attackers can adapt more quickly to new information, and they’re generally more open to sharing information with other attackers. Operational resilience is the only way to address this problem, Schneck argued. Companies need to have their recovery strategies set up in advance. She stressed that rehearsal is a necessary component of resilience. Companies need to ask themselves what they would do “if all the lights went out tomorrow,” so that they’re not dealing with that question when the lights actually do go out.
John Forte, Deputy Executive for Johns Hopkins University Applied Physics Laboratory’s Homeland Protection Mission Area, delivered the closing keynote. He took as his text the proliferation of interconnected devices. transportation, healthcare, buildings and cities, education, public safety are increasingly automated, and CISOs are going to need to deal with trend soon. IoT devices will be used to assist in countless tasks, and all of these devices need to interact with each other. The challenge is getting them to interact securely, and building them so they can’t be hacked.
Forte said that the traditional consideration for a CISO is aligning the risk to the mission; in the future, however, CISOs will increasingly need to become business strategists. What CISOs need to start doing today is designing open, resilient, zero-trust architectures, mastering the supply chain, and enhancing automation and the use of AI. Forte noted that we’re currently in the very beginning stages of artificial intelligence.
We'll have other notes on the Cybersecurity Conference for Executives available later.