Governments or regulators are getting so sensitive about cyber security they may demand publicly-traded companies to undergo annual cyber audits as well as financial audits, says a former U.S. Homeland Security secretary who is now a consultant on risk management.
Tom Ridge made the prediction to a Canadian audience at the third annual International Cyber Risk Management Conference in Toronto, where he also repeatedly asserted that to fight cyber attacks the public and private sectors have to build resilient organizations.
Companies regularly bring in third parties to check finances, he noted, even though they believe their C-level executives are top. Similarly, he said, “at some point in time the business community is going to say, ‘I got a great CSO, chief technology officer… but just to be sure I want to bring in to see if there’s new technology, if they’ve got a new cyber auditing process.
Then he added, “I believe in the United States of America, if you’re a publicly-traded company in the next few years, [government] may require a cyber audit in addition to a fiscal one.”
Cyber security, he said “is no longer the poor CISO’s problem.”
Asked in an interview if governments should be more aggressive in regulating companies to improve their level of cyber security, he said there’s a positive role for governments to play. In the U.S. the National Institute of Standards and Technology (NIST) has issued a cyber security framework organization can use to establish cyber strategies, he pointed out.
“I think if companies wait for government to give them solutions to identify technologies they’d be waiting [a while] because governments move more slowly than icebergs.” On the other hand oversight can be helpful, he added.
“Government is inclined to punish,” he added. “But so far regulators have urged organizations to think differently about this as a business risk.” At the same time, he admitted there has been a warning that organizations that are careless risk seeing “the heavy hand of government in a very punitive way”
“So I think right now the best thing the government could do is raise that level of awareness and kind of push executives to take a look at it, particularly from the regulatory side. It’s not an IT problem, it’s a business risk and you’d better deal with it.”
In his keynote address, Ridge hammered home one word: Resilience. To fight cyber attacks the public and private sectors have to build resilient organizations, he said.
“You want to close cyber gaps? Good luck … “You can’t close all the gaps, let’s accept that as the reality of the digital world. But you sure can close some of them and as other emerge you can make it far more difficult hard for the bad guys to exploit them.
Russia, China and Iran continue to use the Internet for economic and political espionage, he said at one point, but he also admitted his own government has used an unnamed “digital weapon” — perhaps an allusion to reports that the U.S. and Israel used the Stuxnet virus to infect Iranian nuclear centrifuges.
When asked later about the chances of international collaboration to stop cyber attacks, Ridge said, “I’m a real sceptic the global community will ever come up with protocols that everybody will live by and have enforced.”
Better, he said that the counties partnering with the U.S. in the so-called Five Eyes intelligence partnership – Canada, the U.K., Australia and New Zealand – sign their own cyber pact and expand from that. “There’s lots of countries out there that would be happy to sign international agreements than then ignore them before the ink dries.”