Those providing products and services to the United States government have surely noticed that cybersecurity has captured the buzz in Washington. Businesses everywhere are seeking to define and refine their service offerings to capture increased government spending. But have they reflected upon the health of the information security practices followed by their own business enterprise? According to a recent report by Forrester Research, enterprises are overly focused on compliance and not focused enough on protecting their secrets (i.e., intellectual property, earnings and financial information, merger and acquisitions data, and product schematics). It begs the question, should the private sector be pre-qualified to extend their cybersecurity products and services to the government based upon how well they are protecting their own businesses? Stated differently, how can you be qualified to extend services to the government if you are not able to first protect your own information assets?
Is information security a top of mind topic in your enterprise? Since the January 2010 disclosure of the incident involving Google, more executives are discussing the topic but may not be taking pro-active measures to determine if they have been penetrated and have lost information. Others, however, are taking it seriously; some have even chosen to self-disclose issues to their shareholders in materials filed with the SEC. In Intel Corporation’s Annual Report (Form-10K filing) they listed the following in the risk factors section, “We may be subject to intellectual property theft or misuse, which could result in third-party claims and harm our business and results of operations.” The media is increasingly making us aware that no sector is without compromise and that our businesses are being targeted by very sophisticated players.
So, what is the delay? The global economic crisis has placed significant pressures on enterprise IT budgets and focused actions toward meeting the minimum regulatory requirements like compliance at the expense of broader information security initiatives. Further, if information security is not measured or mandated it may not be valued or become part of risk officer’s portfolio of worries. The government is about to change this premise if you want to continue providing services and products to them. In March 2010, the Department of Defense announced its intent to change the Defense Federal Acquisition Regulation (DFAR) to “implement adequate security measures to safeguard DoD information on unclassified industry information systems from unauthorized access and disclosure, and to prescribe reporting to the Government with regard to certain cyber intrusion events that affect DoD information resident or transiting on contractor unclassified information systems.” Why did it come down to regulation? Largely, because industry was not, as a whole, adequately protecting a critical asset–its own information. When combined with pervasive, persistent threats that are attempting and succeeding in stealing this information, there appeared to be no other choice.
Successful enterprises will begin to develop cyber risk management plans. A recent report by the Internet Security Alliance (ISA) outlines a few suggested areas for partnership between the Chief Information Security Officer and the Corporate Risk Officer that can positively affect the health of the enterprise. First, employees must become more aware and accountable as to the criticality of systems and assets under their control while at the same time heighten understanding of the latest attack strategies in the market place. Next, enterprises need to write and clarify data policies with respect to data categorization, data retention, and incident response. How many enterprises prepare for and can quickly respond to an incident enabled by a third party, like that encountered by Google? Lastly, ISA suggests that companies provision for securing connections with business partners, out sourced suppliers, and other remote connections.
Pro-active businesses may take further actions. For example, they could actively red-team or conduct penetration testing of their own business to get a baseline assessment from which to improve their security posture. Or, businesses could partner with the academic cybersecurity challenges and sponsor a challenge focused on their biggest worry in their enterprise. Finally, businesses could actively invest in and develop methodologies or new innovative products designed to solve their own problem. This would have the added benefit of not only protecting your own information, but perhaps developing something of value that then could marketed either to other businesses or to the government. It would also demonstrate that you, as an executive responsible for running the business, are serious about cybersecurity.
Cyber criminals have shifted their efforts toward stealing corporate intellectual property. This is in addition to the state-sponsored industrial espionage that the Director of National Intelligence testified about to the Senate in February 2010. And as Intel Corporation’s annual report states, they “regularly face attempts by others to gain unauthorized access through the Internet to our information technology systems by, for example, masquerading as authorized users or surreptitious introduction of software. These attempts, which might be the result of industrial or other espionage, or actions by hackers seeking to harm the company, its products, or end users, are sometimes successful.” The statistics and trends confirm that the problem is getting worse. Addressing this threat requires vigilance, commitment, and resources. This is why we are observing a market shift toward increased spending to address the situation combined with forced controls imposed by the government on industry wanting to capture government business.
It is clear that the Federal IT budget and cybersecurity market is poised to grow. Anyone seeking to capture new or increased business by selling a cybersecurity product or service to the government needs to be prepared to answer the following questions: What is the information security posture or health of your enterprise? How do you respond to incident response? Have you used your product/service on your own enterprise? If not, why not? If yes, how did it perform in comparison to other products in the marketplace? Executives who can answer these questions and employ these organic cybersecurity practices will emerge as the market leaders in this growing segment of federal contracting. Those executives who cannot answer these questions should delay their rush to become the next provider to the government and focus on ensuring the integrity, security, and resilience of their own enterprises.
Melissa Hathaway is President of Hathaway Global Strategies, LLC and Senior Advisor at Harvard Kennedy School’s Belfer Center. Previously she served as Senior Advisor to the Director of National Intelligence and Cyber Coordination Executive during the administration of President George W. Bush, and as Acting Senior Director for Cyberspace for the National Security Council during the administration of President Barack Obama.