- Spreading the responsibility of cybersecurity enterprisewide is one of the key steps to redefining cyber and how it's treated, according to William Evanina, director of National Counterintelligence and Security Center at the Office of the National Intelligence, while speaking at the Symantec Symposium in Washington Tuesday.
- This is includes shifting sole responsibility away from the CIO or CISO while adding a chief risk officer to the C-suite. "Very few people own consequence right now," he said, but "we should all own consequence."
- To better define cyber, first identify key assets, decide how they need to be protected and create a policy for guiding and upholding their protection, according to Evanina. To help this process, hire a chief risk officer to perform "tabletop" exercising twice a year, and cultivate a better public and private sector partnership.
Cybersecurity can't exist in a vacuum, whether at a company or government agency. Organizations can no longer relegate security to a support element; it is a mission critical element.
In the past, Evanina "didn't care" who his CIO was, he just wanted to his email to work. But that's changed.
The CIO can't prevent every employee from clicking a malicious link, but they can encourage a more inclusive and holistic approach to cyber awareness in a company. The heads of HR and acquisition and procurement know employees and their behaviors, making these department heads primary liaisons for cyber awareness.
Investing in cybersecurity is a "harder pill to swallow because it's not a profit maker" for the private sector, said Evanina, but it costs more to disregard it.
Cyberattacks and other incidents like Nyetya and the CCleaner supply chain attack have largely outlived their relevance in the news. "My fear is they're no longer on the front page," said Evanina, "they're buried." This results in a lack of incentive to drive solutions to the point no solutions will be found.
Ultimately, when cybersecurity exists under the radar and off the front page, companies and governments will "become numb" to the loss of hundreds of millions of dollars in related collateral.