The last panel at this year’s Global Financial Leadership Conference brought together a veritable dream team of experts – Governor and Former Secretary of Homeland Security Tom Ridge, Aneesh Chopra, the first chief technology officer of the U.S. serving in the Obama administration, Patrick Fitzgerald, a former U.S. Attorney who prosecuted a number of high-profile cyber security cases, and Kevin Mandia, a global authority on the topic and Founder and CEO, Mandiant.
With so much to cover – Where are the greatest threats coming from? How do we hold cyber terrorists accountable? How likely is an attack? – the panel’s discussion centered on the speed of solutions that the private sector can develop compared to those developed by government.
Though in years past companies might have been reticent to share information on cyber threats and attacks for fear of reputational harm, the panel traced the evolution of the public conversation around cyber security in government and the private sector. Or, as Fitzgerald put another way, “Everyone is getting attacked now, get over it.”
So if the attacks are inevitable, how do you manage the risk of what Mandia terms “a sucker punch in cyberspace?”
Panelists pointed to private sector information sharing – such as what is already taking place already within industries, such as the Information Sharing and Analysis Center (ISAC) in financial services, to share both best practices and unclassified information among peers in business. Rather than depending on – or having to wait for – regulatory solutions, panelists pointed to alternative models where regulation follows an industry’s recommendation for standards moreso than force it to convene or adhere to a certain solution in the first place. Chopra pointed to a particularly successful example where health care experts to find a protocol for sharing confidential patient information between doctors over email. They developed the protocol for encrypting the information, then it was required by law only after the fact.
The panel also stressed that, though important, compliance with laws and policies does not equal security. Solutions have to go beyond compliance to reduce risk, even if we can’t eliminate the risk