To truly be effective, a cybersecurity program must continually evolve and improve. The problem is, many organizations don't have a clear sense of where they are today and how to improve for tomorrow. As Peter Drucker, the father of management, is often quoted as saying, "If you can't measure it, you can't improve it." In an effort to validate and measure their efforts, many cybersecurity organizations count the number of vulnerabilities they've closed in a given time period or report compliance with regulatory or industry standards. However, none of these approaches gives a true indication of your organization's maturity, nor do they provide a framework for improvement.
It can be easy to lose sight of the innovation in the cybersecurity industry amidst the frequent news about breaches and increasingly sophisticated hackers. Among all the chaos, there are also many promising innovations are gaining traction and could change the way enterprises conduct business. So far this year, there have been three key cybersecurity developments including blockchain, cloud security, and machine learning/artificial intelligence (AI). Michael Whitener, VLP Partner, sat down with Inside Counsel to discuss the new cybersecurity developments of 2017 and how they will affect the future of the industry.
If 2017 has taught us anything, it's that nothing is safe. Some poor MBA home alone for the holidays is probably still crunching the final numbers, but this year will likely turn out to be one of the worst in terms of cybersecurity breaches. Almost two billion records were lost or stolen globally in the first half of 2017. The Equifax breach was probably the most infamous, but there were plenty of other headline-grabbing cyber attacks, including the use of hacking tools developed by the National Security Agency. Storing private data on post-it notes taped around a computer monitor seems like a more secure choice these days.
Real" cybersecurity today devotes enormous effort to non-code vulnerabilities and responses. Ten of the specialty areas primarily involve coding, but more than half primarily involve non-code work (15 areas, in my estimate) or are mixed (eight areas, per my assessment). This column proposes a Pedagogic Cybersecurity Framework (PCF) for categorizing and teaching the jumble of non-code yet vital cybersecurity topics. From my experience teaching cybersecurity to computer science and other majors at Georgia Tech, the PCF clarifies how the varied pieces in a multidisciplinary cybersecurity course fit together. The framework organizes the subjects that have not been included in traditional cybersecurity courses, but instead address cybersecurity management, policy, law, and international affairs.