Skip to main content

Be Careful Out There

WASHINGTON — The White House’s regime of cybersecurity best practices will take a year or more to kick in — an eternity in Internet time — and even then, they will be voluntary.

Congress will hold hearings, including last week, but those wheels grind slowly. And lawmakers can’t agree on the colors in the American flag these days, and are currently concentrating on the next fiscal cliff , the debt ceiling and keeping the government from shutting down at month’s end.

In the meantime, hackers seem to be having a field day, with reports that China has been on a break-in binge across a range of companies, including news outlets. The Chinese government denies the allegations.

What should CTOs at Internet-service providers be doing now to make sure they don’t make the next headline? Harriet Pearson, a partner with Hogan Lovells and former IBM chief privacy officer, provides cybersecurity news you can use.

1.) Understand the threats that are specific to your business. “Every organization is different. Each has its own risk profile based on the type of assets handled, the locations in which the business operates, and other factors. To protect itself, a company needs to know the likely sources of risk — criminals? State-sponsored actors? Political activists? Disgruntled employees? Careless employees? — and prioritize its actions.

2.) Form a team. “Someone said — maybe me — that security is a team sport. It’s not just the CIO or the IT Security Director’s job. It’s the COO and CFO, who must be convinced to fund and support risk mitigation initiatives. It’s the chief legal officer, who can help guide the assessment of legal and reputational risks and advise on smart ways to document the company’s efforts so they stand up to scrutiny. And it’s the HR and communications leaders who can help educate employees and strengthen corporate culture to value security.”

3.) Prepare to respond. “No security program is perfect; incidents will happen. The key to handling them well is preparation, the kind that can prevent an incident from turning into a crisis. Make sure people know to whom to report an incident; rehearse your response if possible. At least, know the lawyer and technical experts you will involve if something unusual is detected.”

4.) Watch over your vendors. “The weakest link is sometimes outside of your own shop. Pay the most attention to your vendors who handle important data or operations, and for them, require certain demonstrations of security competence. Write requirements into contracts.”

5.) Document your program. “Let’s say something happens. When you are asked, ‘What did you do to prevent it?’ have a thoughtful answer that is backed up by a written description of your efforts to identify threats and defend against them.”