It is always reassuring to have an independent, credible authority endorse what you believe and/or what you have been saying, so information security professionals should have felt good this morning if they read the op-ed article on cyber security in the New York Times by Preet Bharara, the U.S. attorney for Manhattan.
Bharara made several key points, including:
- That as U.S. attorney in the largest city in the U.S. and the financial capital of the world, he worries about few things as much as he does about cybercrime. He sees it as a huge threat. "Businesses should worry, too," he said, "but ? they are not doing nearly enough to protect themselves."
- One board member of a major Internet-based company told him that the company board had not spent one minute discussing cyber security.
- Too many companies are unwilling to disclose data breaches, which limits law enforcement's ability to respond and inhibits the collective community's ability to learn lessons from security breaches and develop better defenses.
The most important step that needs to be taken is the "obvious and fundamental one: understanding the threat in a comprehensive, serious manner," Bharara wrote. Every board member and senior executive at a public company should ask themselves if they are doing enough to recognize and address the risks of cybercrime. Do they have a sound, documented plan in place to deal with a breach or serious compromise? Have they sought an independent expert view on their risks and vulnerabilities?
Bharara ends on a positive note, referring to the American response and mobilization of resources after the attack on Pearl Harbor and more recently, the 9/11 attack, and saying it is possible for us to defend against a catastrophic cyber attack --- if there is enough recognition of the scale of the threat and enough leadership and mobilization of resources that match the threat.
Here's hoping that Bharara's piece is a catalyst for some serious boardroom dialogue --- and decision- making action.