Cybersecurity: a need to do more

While the NZ Government seems to finally be getting a move on to start addressing the full range of cybersecurity issues, the same can’t be said of most medium and large sized businesses. Their response seems to still be limited to CIOs, treating cybersecurity as an IT issue. It needs to be a CEO and Board level concern as a key business risk, using standard management and governance techniques.

Prodded along by the others in the “Five Eyes”, the NZ Government started to take cybersecurity more seriously a couple of years back. Full marks to Hon Steven Joyce for his leadership in adding an economic and business perspective. With MED as the lead agency (and not GCSB), the launch of the Cyber Security Strategy in June 2011 was a good first step. Since then, as with other national security matters, responsibility has shifted to a more direct line to the Prime Minister with the setting up of the National Cyber Policy Office (NCPO) last year.

In my opinion, New Zealand’s voice and active interest in cybersecurity is vital to international efforts. It will be welcomed as a balanced and pragmatic middle path. Stepping up efforts is good for both New Zealand as well as the world. However, with our limited resources and higher priorities, cybersecurity is likely to remain a “punching above our weight” backhanded compliment in the years ahead.

The NZ Government also has to guard against the tendencies of other governments to pollute cybersecurity efforts by including other agendas. This includes stomping all over human rights, funnelling more money into the ‘military-industrial complex’, and advancing narrow business interests. For example, in the recent NZ-UK joint statement on cyber security why use the narrow, loaded term “intellectual property” and not a more appropriate one that conveys the real economic and business risks?

NZ businesses and cybersecurity

The Internet age equivalent of extortion is a DDoS (Distributed Denial of Service) attack. They should be seen, and managed, as a denial of business risk. Anyone doing or planning to do business in countries like China is almost certainly the subject of snooping efforts. This includes their suppliers, advisers and partners. ‘Advanced Persistent Threats‘ aka State-sponsored or State-backed attacks are on the rise. These are only three examples- the list of business threats are long and growing all the time.

Yet, most NZ medium and large businesses still treat cybersecurity as an IT matter. While those in the ‘critical national infrastructure’ sectors have mostly got the message by now, others seem unable or unwilling to make the connection between cybersecurity and their business interests. This is true for security as a whole but even more acute for cybersecurity.

There is some good business advice from PwC Cybersecurity: The new business priority which makes the point that a “reactive approach is all too common, even though the question is not if a company will suffer an incident but when.” The (US) Business Roundtable makes the point that “It’s time for a “reset” in the public policy debate over cybersecurity to avoid a governmental-dominated approach heavy with regulation.” While in response to the specific environment in the US, it emphasises the need for businesses to respond to business threats in a business-appropriate manner.

Progress in Davos

Somewhat surprisingly, NZ seems to largely ignore the annual World Economic Forum in Davos. Maybe it’s the timing (just as things start coming back to normal in the new year) or the weather (giving up the few summer days for snow) or that we don’t appreciate its importance.

In any case, this year cybersecurity from a business and economic angle was prominently on the agenda. I found the publication Risk and Responsibility in a Hyperconnected World: Pathways to Global Cyber Resilience a useful high-level view. Also useful is a video from Deloitte called Companies like yours (but big fail for not allowing the video to be embedded here).

Advertisements

3 thoughts on “Cybersecurity: a need to do more

  1. ” The following is solely my opinion and does not represent the thoughts, intentions, plans or strategies of any third party, including my employer”.. 🙂

    All fair points Vikram, and you’ll be pleased to learn that there is a global initiative in its formative stages which brings together military, national security *and* industry/business (and I don’t mean those with a vested interest in in the space, but industry in general). It arose out of a series of experiments to test cyber situational awareness. The initiative hasn’t got a name yet, but when it does, I guess it will be duly released. The point to note is that it attempts to get a balanced 3 way collaboration going in each country and bring that together in a global context. And of course, it is hoped that NZ will have representatives from these 3 domains join in.

    • Thanks Colin.

      I think the NZ Government is, finally, moving in the right direction. Lots still to do but they are getting on with it. What concerns me are medium and large sized businesses. With some honourable exceptions (the ones who would participate in the global initiative you mention), the others are way too disconnected from the reality.

  2. Yes, I agree there may well be a sense of ‘it will never happen to us’ syndrome in the medium/larger space. Personally, I think the public sector (perhaps in cahoots with some obvious candidtaes in the NGO sector) has a role to play there by making the first move to proactively reach out to these folks. If the engagement can be primed and started like this, I think the NGOs and private sector can and should take it forward thereafter. It’s the ongoing balancing act between not enough intervention and too much intervention.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s