Governments or regulators are getting so sensitive about cyber security they may demand publicly-traded companies to undergo annual cyber audits as well as financial audits, says a former U.S. Homeland Security secretary who is now a consultant on risk management.
Tom Ridge made the prediction to a Canadian audience at the third annual International Cyber Risk Management Conference in Toronto, where he also repeatedly asserted that to fight cyber attacks the public and private sectors have to build resilient organizations.
Companies regularly bring in third parties to check finances, he noted, even though they believe their C-level executives are top. Similarly, he said, โat some point in time the business community is going to say, โI got a great CSO, chief technology officerโฆ but just to be sure I want to bring in to see if thereโs new technology, if theyโve got a new cyber auditing process.
Then he added, โI believe in the United States of America, if youโre a publicly-traded company in the next few years, [government] may require a cyber audit in addition to a fiscal one.โ
Cyber security, he said โis no longer the poor CISOโs problem.โ
Asked in an interview if governments should be more aggressive in regulating companies to improve their level of cyber security, he said thereโs a positive role for governments to play. In the U.S. the National Institute of Standards and Technology (NIST) has issued a cyber security framework organization can use to establish cyber strategies, he pointed out.
โI think if companies wait for government to give them solutions to identify technologies theyโd be waiting [a while] because governments move more slowly than icebergs.โ On the other hand oversight can be helpful, he added.
โGovernment is inclined to punish,โ he added. โBut so far regulators have urged organizations to think differently about this as a business risk.โ At the same time, he admitted there has been a warning that organizations that are careless risk seeing โthe heavy hand of government in a very punitive wayโ
โSo I think right now the best thing the government could do is raise that level of awareness and kind of push executives to take a look at it, particularly from the regulatory side. Itโs not an IT problem, itโs a business risk and youโd better deal with it.โ
In his keynote address, Ridge hammered home one word: Resilience. To fight cyber attacks the public and private sectors have to build resilient organizations, he said.
โYou want to close cyber gaps? Good luck โฆ โYou canโt close all the gaps, letโs accept that as the reality of the digital world. But you sure can close some of them and as other emerge you can make it far more difficult hard for the bad guys to exploit them.
Russia, China and Iran continue to use the Internet for economic and political espionage, he said at one point, but he also admitted his own government has used an unnamed โdigital weaponโ โ perhaps an allusion to reports that the U.S. and Israel used the Stuxnet virus to infect Iranian nuclear centrifuges.
When asked later about the chances of international collaboration to stop cyber attacks, Ridge said, โIโm a real sceptic the global community will ever come up with protocols that everybody will live by and have enforced.โ
Better, he said that the counties partnering with the U.S. in the so-called Five Eyes intelligence partnership โ Canada, the U.K., Australia and New Zealand โ sign their own cyber pact and expand from that. โThereโs lots of countries out there that would be happy to sign international agreements than then ignore them before the ink dries.โ