Cybersecurity is an emotive mix of many fields of security. Some in the
industry treat the term with rolling eyes as just another management
catchphrase, while others think it’s just a technical consideration. Cybersecurity should rather be viewed
holistically, bringing together legal, national, energy, physical, information,
Radio Frequency (RF) spectrum, personnel and commercial considerations, to name
a few.
Challenging the view that cybersecurity is more technical than holistic
is the first obstacle that must be overcome.
Strategy first
A cybersecurity
strategy should be comprehensive in its coverage, adequately resourced and be
the mandate by which another activity is
driven. Having lots of activity without a strategy is ineffective as
duplication of effort may occur, or worse, there may be unseen holes in its
coverage that could be exploited. The strategy should include a rigorous
examination of risk in all its forms which in turn helps the cybersecurity expert visualise the gaps between
the risks and the controls needed to mitigate them.
The cybersecurity
regulatory landscape
Cybersecurity specialists need to be aware of the regulatory landscape to make
sure everyone, from directors down, meets their legal obligations. When seeking
guidance on what is permitted cybersecurity
activity or what protections are offered to you, awareness of these statutes
and guidelines provides a good baseline.
Data breach notification is a means to an end.
It should be enforced to protect people’s privacy through deterrence of corporate
negligence, however embarrassing it may be. Over-regulation of any industry is
traditionally expensive to administer and unlikely to be enforceable in this
case. While there are obvious reputational issues about partial, late or
non-disclosures, the industry has always been best served by learning from
early, full and honest disclosures of those that have been breached.
|
