While the NZ Government seems to finally be getting a move on to start addressing the full range of cybersecurity issues, the same can’t be said of most medium and large sized businesses. Their response seems to still be limited to CIOs, treating cybersecurity as an IT issue. It needs to be a CEO and Board level concern as a key business risk, using standard management and governance techniques.
Prodded along by the others in the “Five Eyes”, the NZ Government started to take cybersecurity more seriously a couple of years back. Full marks to Hon Steven Joyce for his leadership in adding an economic and business perspective. With MED as the lead agency (and not GCSB), the launch of the Cyber Security Strategy in June 2011 was a good first step. Since then, as with other national security matters, responsibility has shifted to a more direct line to the Prime Minister with the setting up of the National Cyber Policy Office (NCPO) last year.
In my opinion, New Zealand’s voice and active interest in cybersecurity is vital to international efforts. It will be welcomed as a balanced and pragmatic middle path. Stepping up efforts is good for both New Zealand as well as the world. However, with our limited resources and higher priorities, cybersecurity is likely to remain a “punching above our weight” backhanded compliment in the years ahead.
The NZ Government also has to guard against the tendencies of other governments to pollute cybersecurity efforts by including other agendas. This includes stomping all over human rights, funnelling more money into the ‘military-industrial complex’, and advancing narrow business interests. For example, in the recent NZ-UK joint statement on cyber security why use the narrow, loaded term “intellectual property” and not a more appropriate one that conveys the real economic and business risks?
NZ businesses and cybersecurity
The Internet age equivalent of extortion is a DDoS (Distributed Denial of Service) attack. They should be seen, and managed, as a denial of business risk. Anyone doing or planning to do business in countries like China is almost certainly the subject of snooping efforts. This includes their suppliers, advisers and partners. ‘Advanced Persistent Threats‘ aka State-sponsored or State-backed attacks are on the rise. These are only three examples- the list of business threats are long and growing all the time.
Yet, most NZ medium and large businesses still treat cybersecurity as an IT matter. While those in the ‘critical national infrastructure’ sectors have mostly got the message by now, others seem unable or unwilling to make the connection between cybersecurity and their business interests. This is true for security as a whole but even more acute for cybersecurity.
There is some good business advice from PwC Cybersecurity: The new business priority which makes the point that a “reactive approach is all too common, even though the question is not if a company will suffer an incident but when.” The (US) Business Roundtable makes the point that “It’s time for a “reset” in the public policy debate over cybersecurity to avoid a governmental-dominated approach heavy with regulation.” While in response to the specific environment in the US, it emphasises the need for businesses to respond to business threats in a business-appropriate manner.
Progress in Davos
Somewhat surprisingly, NZ seems to largely ignore the annual World Economic Forum in Davos. Maybe it’s the timing (just as things start coming back to normal in the new year) or the weather (giving up the few summer days for snow) or that we don’t appreciate its importance.
In any case, this year cybersecurity from a business and economic angle was prominently on the agenda. I found the publication Risk and Responsibility in a Hyperconnected World: Pathways to Global Cyber Resilience a useful high-level view. Also useful is a video from Deloitte called Companies like yours (but big fail for not allowing the video to be embedded here).