Why risk management is critical in cybersecurity

If you're a federal cyber official, the advice in a newly revised handbook on corporate cybersecurity might sound familiar. The new National Association of Corporate Directors' cybersecurity handbook says cybersecurity is a risk management issue, not an IT matter.

The language echoes what top federal agency IT managers and cybersecurity officials have been saying about how to handle threats at their organizations.

The NACD guidebook, compiled with the help of the Internet Security Alliance, says that cyber threat expertise isn't a prerequisite for corporate board members, but that corporate boards should have access to that knowledge and consider how cyber affects their companies overall operations, from management to products and supply chains.

"The cyberthreat picture continues to become more challenging with nation-state attacks against both public and private sectors," said ISA CEO Larry Clinton at a Jan. 12 Washington press conference releasing the new handbook.

That melding of targets, said Danny Toler, deputy assistant secretary for cybersecurity and communications at the Department of Homeland Security, makes closer collaboration on attacks and sharing of threat information between corporations and federal agencies increasingly crucial to defending against them. Toler, who was at the press conference, said the growing common terminology, as well as common threats, can help facilitate information sharing with DHS.

DHS and the Department of Justice both have longstanding commitments to helping commercial entities gird themselves against a growing panoply of cyber threats, said Adam Hickey, acting deputy assistant attorney general for national asset protection in the Department of Justice's National Security Division.

Cybersecurity "isn't about prevention," he said. "CISOs can't be judged only on defense," as hackers are too smart for that. "All stakeholders look at responses and resilience, including whether they worked with law enforcement" to do everything they could to blunt attacks.

Toler and Hickey both urged corporations to work ahead of cyberattacks with the federal government on mitigation tactics and even on-site analysis.

Corporations have had liability concerns with sharing threat indicators with federal agencies. Although the Cybersecurity Information Sharing Act of 2015 created new law and governance structure for some of those issues, such as sharing of cyberthreat indicator data, concerns over use of and exposure of the data keep some corporations cautious.

Tole and Hickey said their agencies will work with companies to mitigate those concerns. Toler said DHS will sign agreements with companies that request scans of their networks for threats. Hickey said the FBI isn't after large-scale data from companies, just specific threat data. In both cases, the officials said the data would also be protected under privacy regulations.

Big, publicly acknowledged breaches are teaching private-sector firms that "they are not alone" in their efforts to combat cybercrime or cyberattack. "It could actually make victims feel more comfortable" in sharing threat data to help prevent attacks on others, he said.