Cybersecurity Reimagined: Calls Out for a New Model 

By Larry Clinton, Skytop Contributor/ September 26, 2023 

Larry Clinton is President of the Internet Security Alliance (ISA). The ISA is a multi-sector trade association that focuses on thought leadership, policy advocacy and developing best practices for cyber security. Mr. Clinton holds a certification on Cyber Risk management for Corporate Boards from Carnegie Mellon University, He is on the faculty of the Wharton School where he teaches a graduate Executive Education course in cyber security. 

The National Association of Corporate Directors has twice named Mr. Clinton as one of the 100 most influential people in the field of corporate governance. He is a two term Chair of the IT Sector Coordinating Council and serves on the Cybersecurity Advisory Board for the Center for Audit Quality and the Cyber Advisory Board for the Better Business Bureau. He is widely published and has been a featured spokesman in virtually all major media outlets from WSJ, USA Today Fox News, NBC, CBS, NYT, PBS Morning Edition CNN & even MTV in India. He testifies often before Congress. He has briefed industry and governments world-wide including NATO and the OAS. ISA was also the only trade association to be part of the official cyber security briefing for the Republican National Convention in Cleveland. 

ISA recently published the Cyber Social Contract (Vol. 3), which outlines 106 recommendations for the President and Congress. The previous editions of the ISA Social Contract were endorsed by the House GOP Task Force on Cyber Security and were the basis for President Obama’s Executive Order 13636 on Cyber Security. He is the industry co-chair – DHS is the government co-chair– of the Policy Leadership Working Group on Cyber Security Collective Defense featured at the National Cyber Security Summit in New York in July. 

He literally “wrote the book” — the Cyber Risk Handbook for corporate boards which is the only private sector publication endorsed by both DHS and DOJ. PWC has independently evaluated the Cyber Risk Handbook and found it substantially changed how corporate director’s address cyber risk management leading to higher budgets, better risk management, closer alignment of cyber security with business goals and helping to create a culture of security. In 2017 ISA adapted the Handbook for the UK and Germany. As in the US, the German edition has been endorsed by the German government. ISA is now working with the OAS on a Latin American version of the handbook; as well as an edition for India and Japan, in partnerships with industry groups. 

The Need to Rethink and Fix Cybersecurity in the U.S. 

In February 2023, the Foreign Affairs magazine published an article written by CISA Director Jen Easterly and Assistant Director Eric Goldstein entitled “Why Companies Must Build Security into Products.” The central thesis of their article is that we need a “new model” for cybersecurity because what we have been doing isn’t working. This is precisely the messaging CISA, and many of us in the industry, have been promoting for the past few years. It is clear that we, the government and much of the industry, need to rethink cybersecurity and more importantly go about fixing American cybersecurity. Easterly and Goldstein make several important observations in their article and suggest how these may offer a more productive path than the one we have taken previously. 

First, Easterly and Goldstein point out that “over the past decade adversaries of the United States have developed increasingly sophisticated offensive cyber capabilities” and that “the incentives for developing and selling technology have eclipsed safety in importance.” This is a key insight that needs to inform cyber policy as it never has been historically. Attack methods that were considered advanced a decade ago are not relatively commonplace and the existing incentive structure is not adequate to the problem, hence the need for a new model. Easterly and Goldstein, with limited space in Foreign Affairs, focus on one key aspect, the need to have producers better incentivized in product development. But that is only one aspect of the problem. As they also point out, “what the United States faces is less a cyber problem than a broader technology and culture,” and I would add economics problem. 

The broader problem is that the economic incentives of the digital age all favor the attackers. Attack methods are comparatively cheap and easy to acquire. The cost of entry into cybercrime is incredibly low and the rewards are enormous – literally trillions of dollars on an annual basis and there is virtually no law enforcement. We prosecute less than one percent of cybercriminals. The result of this evolution, as Easterly and Goldstein point out, is “the cybersecurity burden falls disproportionately on consumers and small organizations which are often least aware of the cyberthreat and least capable of protecting themselves.” 

Understanding Cybersecurity as an Enterprise-wide Risk Management Issue 

A second key insight is that we need to rethink how we conceptualize and therefore address the cyber issue. One of the main reasons that we have made little or no progress in cybersecurity– in point of fact things are only getting worse – is that for the most part, the issue has been thought of in a too narrow context as essentially an IT issue and its management has been relegated to the IT department. 

Obviously, IT is a critical element of the cyber issue, but it is not the entirety of the issue. At one point Easterly and Goldstein compare cybersecurity to automotive safety, which calls to mind the longstanding observation in that community that the most vulnerable part of an automobile has always been “the nut behind the wheel” – the people. The same is true in cyber, making human resource management a critical, and non-IT-centric, element of cyber risk management. The same can be said of supply chain management or managing reputational risk, which is the province of legal, strategic relations, and the PR people. The point is that we need to grow our understanding of our cybersecurity problem as not simply a technical issue but an enterprise-wide risk management issue. As Easterly and Goldstein put it, “under this new model, cybersecurity would ultimately be the responsibility of every CEO and every board.” 

This is one space where the private sector seems to be well ahead of our government partners. For nearly a decade, leading corporations have been moving away from the IT-centric management of cybersecurity to an enterprise-wide model with direct and growing involvement from the most senior levels of the organization, including the board of directors. 

Conversely, virtually all government programs dealing with cyber issues are intensely tech-centered. In the last ten years board organizations around the world have published handbooks on cyber risk oversight for directors. There is no similar document for government leaders. Here in the U.S. the National Association of Corporate Directors has been running cyber risk oversight training for board members for many years. There is no similar training program for cabinet members, agency heads, or members of Congress – the government equivalent of the corporate board. This may explain why, notwithstanding Easterly and Goldstein’s perceptive commentary, most government leaders still conceive of cybersecurity in primarily, if not totally, IT terms. This may also explain why these programs have no documented evidence of success. 

Elevating Cybersecurity Discussions to the Board by Proving Better Outcomes 

A final key point raised in the Easterly-Goldstein article relates to the wisdom of elevating cybersecurity discussions to the board. Anyone who has been to a board meeting and heard a discussion of risk – be it financial, geopolitical, or environmental – sees the board is intensely focused on the numbers. Again, returning to their automotive analogy, Easterly and Goldstein note “The readily apparent safety issues with cars also led to a simple solution: government action to compel adoption of specific security measures with proven better outcomes.” 

I think it’s fair to assume that securing our critical infrastructure from the sophisticated attacks Easterly and Goldstein identify in their article is not going to be as simple as buckling a seat belt. But the key term here is “proven better outcomes.” When making risk-based decisions, boards of directors want to know the metrics. Will the interventions have proposed work? Are they cost-effective or cost-prohibitive? These are the real-world issues we need to address if we are going to talk about enhancing cybersecurity through government action. 

Unfortunately, there is virtually no evidence that existing government regulation of cybersecurity works, let alone is cost-effective. On the other hand, the principles and toolkits embedded in the Cyber Risk Handbooks alluded to above have been independently assessed and produced, proving better outcomes. An independent evaluation from PwC noted that organizations that use these handbooks have better cyber risk management, closer alignment of cybersecurity with business goals, and develop a culture of security. In November of 2022, the World Economic Forum published research from MIT that found that “organizations that use the consensus principles can significantly improve their cyber resilience without raising costs” and “the CEO who follows the principles is predicted to have 85% fewer incidents.” 

Should Congress or the U.S. Securities and Exchange Commission (SEC) choose to incentivize better cyber risk oversight and management, they would do well to stick to these proven techniques rather than digging deeper into technical mandates.