To truly be effective, a cybersecurity program must continually evolve and improve. The problem is, many organizations don't have a clear sense of where they are today and how to improve for tomorrow. As Peter Drucker, the father of management, is often quoted as saying, "If you can't measure it, you can't improve it." In an effort to validate and measure their efforts, many cybersecurity organizations count the number of vulnerabilities they've closed in a given time period or report compliance with regulatory or industry standards. However, none of these approaches gives a true indication of your organization's maturity, nor do they provide a framework for improvement.
If 2017 has taught us anything, it's that nothing is safe. Some poor MBA home alone for the holidays is probably still crunching the final numbers, but this year will likely turn out to be one of the worst in terms of cybersecurity breaches. Almost two billion records were lost or stolen globally in the first half of 2017. The Equifax breach was probably the most infamous, but there were plenty of other headline-grabbing cyber attacks, including the use of hacking tools developed by the National Security Agency. Storing private data on post-it notes taped around a computer monitor seems like a more secure choice these days.
Real" cybersecurity today devotes enormous effort to non-code vulnerabilities and responses. Ten of the specialty areas primarily involve coding, but more than half primarily involve non-code work (15 areas, in my estimate) or are mixed (eight areas, per my assessment). This column proposes a Pedagogic Cybersecurity Framework (PCF) for categorizing and teaching the jumble of non-code yet vital cybersecurity topics. From my experience teaching cybersecurity to computer science and other majors at Georgia Tech, the PCF clarifies how the varied pieces in a multidisciplinary cybersecurity course fit together. The framework organizes the subjects that have not been included in traditional cybersecurity courses, but instead address cybersecurity management, policy, law, and international affairs.
An overwhelming majority of cybersecurity and risk management leaders believe that developments in 5G wireless technology will create cybersecurity challenges for their organizations. Their top three 5G-related concerns are greater risk of attacks on Internet of Things (IoT) networks, a wider attack surface and a lack of security by design in 5G hardware and firmware. These are among the findings of a new report released by Information Risk Management (IRM), a UK-based cybersecurity company of Altran, the global player in engineering and R&D services. The report, titled Risky Business, is based on a survey of senior cybersecurity and risk management decision makers at 50 global companies across seven major industry sectors: automotive, communications, energy, finance/public sector, software/internet, transport and pharmaceuticals. The study was conducted between July and September of this year.