The Administrator’s Role in Cybersecurity
The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization.
By Ygnacio Flores, Tracy Rickman, and Don Mason
May 8, 2020
Cybersecurity has grown from a neologism, as it was just a couple of decades ago, to becoming a primary concern for governments and businesses alike. The use of viruses has also evolved from the realm of academic use, like with the Morris virus in 1988, to being weaponized by nation states, like with the development of the Stuxnet virus revealed in 2010. From a global perspective, the costs of cybersecurity frame just how important it is. With $106 billion spent on cybersecurity technology and a 67% increase in cyberthreats, along with the average cost of a cyberattack being $13 million, this topic mandates personal involvement from the most senior administrators in the organization.
Administrators in the C-suites, especially the CEO, can no longer expect an IT person in the basement to handle all the cybersecurity requirements for an organization. Administrators must be as actively engaged in cybersecurity as they are in fiscal and personnel management. This means administrators must educate themselves in the many facets of cybersecurity that exist in both the cyber and physical realms of their ecosystems.
While many functions and capabilities of cybersecurity are outsourced, the administrator nevertheless maintains responsibility and accountability for the security of his or her organization and the security of the data he or she oversees. This includes the trustworthiness of all devices that are or have the capability to connect to your network through the internet of things (IoT). Equally important, vendors must be vetted to ensure their product fits your needs and not that of the vendor.
Some key areas that C-suite administrators need to concentrate on are the risks and costs of managing a cybersecurity program. Basically, can an organization afford to lose data and risk the costs of litigious disputes in addition to losing the trust of valued customers? Administrators need to frame the organization’s approach to cybersecurity by answering what a court might ask in wanting to know what you did, as well as what you did not do, when managing a cybersecurity program. Base your actions on the standard of reasonableness that is active and fully engaged.
The emphasis in cybersecurity is moving away from protecting a network—an unrealistic goal—to that of resilience through appropriate response and recovery capabilities. Administrator’s need to select an insurance policy that covers the physical and intangible realms of cybersecurity. A standalone cybersecurity policy is recommended over a general policy bundled with other organizational needs. Consider limits contained in the exclusions of insider threats, nation state actors and acts of war.
A prudent administrator needs to develop a cybersecurity response team that includes at a minimum the C-suite, legal counsel, IT/cybersecurity, contracted vendors and government authorities when required. This team needs to have meaningful discussions on the security of organizational cyber assets before a cyberattack and not after. A robust training program will mitigate threats to the human firewall while strengthening that same barrier.
Additionally, administrators need to know how the language of cybersecurity is defined legally in their jurisdiction(s). They also need to ask if it is operationally necessary to collect all the data they are exposed to. Considerations such as the European Union’s General Data Protection Regulation (GDRP) and the California Consumer Privacy Act (CCPA) may make compliance more costly than the data is worth to the organization. Likewise knowing the National Institute of Standards and Technology (NIST) cybersecurity framework can aid in addressing the human element of a cybersecurity program. It is recommended that administrators implement across all operations the most restrictive privacy and data statues. Underscoring regulation is how an organization includes ethical behavior in their cybersecurity programs.
When looking at risk, administrators need to develop a strategy that acknowledges that all assets cannot be secured equally across an enterprise. Correspondingly, acknowledging that increasing the budget of a security system does not equate to an increase in cybersecurity is prudent.
Cyberthreats to an organization are only limited by the imagination of the human mind. Conversely, the largest threat to networked systems comes from the human element in the cyberspace. Knowing the threat environment of cybersecurity is recognizing that the problem space is more than computers on a desk. It includes the human element, supply chains, physical security, research and development, data transfer systems and all intangible networks in cyberspace.
The U.S. Department of Justice has programs to strengthen public-private partnerships to improve homeland security. The Federal Bureau of Investigation (FBI) partners with the private sector to form InfraGard, an organization that improves homeland security issues, cybersecurity included. The benefit of InfraGard and similar organizations cannot be overlooked.
The pace of technological development drives the constant need to improve cybersecurity measures in an organization. With every new development there exists an emerging threat. An administrator needs to think about how technology can be weaponized and used against his or her organization. The future will provide a smorgasbord of concerns for administrators that include artificial intelligence (AI), machine learning, deep fakes, technological arms-race, 5G dominance and the internet of things (IoT). Every time your employee brings in a new program and tells you, “Look what this does!” You need to think, “What can someone make it do!”
Authors:
Ygnacio “Nash” Flores
Tracy Rickman
Don Mason
All service as faculty in Rio Hondo College’s Public Safety Department.
(No Ratings Yet)
Loading...
The Administrator’s Role in Cybersecurity
The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization.
By Ygnacio Flores, Tracy Rickman, and Don Mason
May 8, 2020
Cybersecurity has grown from a neologism, as it was just a couple of decades ago, to becoming a primary concern for governments and businesses alike. The use of viruses has also evolved from the realm of academic use, like with the Morris virus in 1988, to being weaponized by nation states, like with the development of the Stuxnet virus revealed in 2010. From a global perspective, the costs of cybersecurity frame just how important it is. With $106 billion spent on cybersecurity technology and a 67% increase in cyberthreats, along with the average cost of a cyberattack being $13 million, this topic mandates personal involvement from the most senior administrators in the organization.
Administrators in the C-suites, especially the CEO, can no longer expect an IT person in the basement to handle all the cybersecurity requirements for an organization. Administrators must be as actively engaged in cybersecurity as they are in fiscal and personnel management. This means administrators must educate themselves in the many facets of cybersecurity that exist in both the cyber and physical realms of their ecosystems.
While many functions and capabilities of cybersecurity are outsourced, the administrator nevertheless maintains responsibility and accountability for the security of his or her organization and the security of the data he or she oversees. This includes the trustworthiness of all devices that are or have the capability to connect to your network through the internet of things (IoT). Equally important, vendors must be vetted to ensure their product fits your needs and not that of the vendor.
Some key areas that C-suite administrators need to concentrate on are the risks and costs of managing a cybersecurity program. Basically, can an organization afford to lose data and risk the costs of litigious disputes in addition to losing the trust of valued customers? Administrators need to frame the organization’s approach to cybersecurity by answering what a court might ask in wanting to know what you did, as well as what you did not do, when managing a cybersecurity program. Base your actions on the standard of reasonableness that is active and fully engaged.
The emphasis in cybersecurity is moving away from protecting a network—an unrealistic goal—to that of resilience through appropriate response and recovery capabilities. Administrator’s need to select an insurance policy that covers the physical and intangible realms of cybersecurity. A standalone cybersecurity policy is recommended over a general policy bundled with other organizational needs. Consider limits contained in the exclusions of insider threats, nation state actors and acts of war.
A prudent administrator needs to develop a cybersecurity response team that includes at a minimum the C-suite, legal counsel, IT/cybersecurity, contracted vendors and government authorities when required. This team needs to have meaningful discussions on the security of organizational cyber assets before a cyberattack and not after. A robust training program will mitigate threats to the human firewall while strengthening that same barrier.
Additionally, administrators need to know how the language of cybersecurity is defined legally in their jurisdiction(s). They also need to ask if it is operationally necessary to collect all the data they are exposed to. Considerations such as the European Union’s General Data Protection Regulation (GDRP) and the California Consumer Privacy Act (CCPA) may make compliance more costly than the data is worth to the organization. Likewise knowing the National Institute of Standards and Technology (NIST) cybersecurity framework can aid in addressing the human element of a cybersecurity program. It is recommended that administrators implement across all operations the most restrictive privacy and data statues. Underscoring regulation is how an organization includes ethical behavior in their cybersecurity programs.
When looking at risk, administrators need to develop a strategy that acknowledges that all assets cannot be secured equally across an enterprise. Correspondingly, acknowledging that increasing the budget of a security system does not equate to an increase in cybersecurity is prudent.
Cyberthreats to an organization are only limited by the imagination of the human mind. Conversely, the largest threat to networked systems comes from the human element in the cyberspace. Knowing the threat environment of cybersecurity is recognizing that the problem space is more than computers on a desk. It includes the human element, supply chains, physical security, research and development, data transfer systems and all intangible networks in cyberspace.
The U.S. Department of Justice has programs to strengthen public-private partnerships to improve homeland security. The Federal Bureau of Investigation (FBI) partners with the private sector to form InfraGard, an organization that improves homeland security issues, cybersecurity included. The benefit of InfraGard and similar organizations cannot be overlooked.
The pace of technological development drives the constant need to improve cybersecurity measures in an organization. With every new development there exists an emerging threat. An administrator needs to think about how technology can be weaponized and used against his or her organization. The future will provide a smorgasbord of concerns for administrators that include artificial intelligence (AI), machine learning, deep fakes, technological arms-race, 5G dominance and the internet of things (IoT). Every time your employee brings in a new program and tells you, “Look what this does!” You need to think, “What can someone make it do!”
Authors:
Ygnacio “Nash” Flores
Tracy Rickman
Don Mason
All service as faculty in Rio Hondo College’s Public Safety Department.
Follow Us!