In this Q&A, we learn about the latest trends in cybersecurity from Kiersten Todt, the Managing Director of the Cyber Readiness Institute and former Executive Director of the Presidential Commission on Enhancing National Cybersecurity.
1. Kiersten, as a presenter at conferences around the world and attendee at events such as the Department of Homeland Security Cyber Security Conference, what are some observations about the current state of cyber affairs?
Cybersecurity is an evolving challenge. Companies of all sizes increasingly understand the impact of cyber threats and the impact of cybersecurity on the viability of a business, as well as the need to integrate cybersecurity, including preparedness and response, into business operations. At the DHS Summit in late July, Secretary Nielsen discussed the value of cross-sector coordination and the need to focus on risk management. These are two issues that are critical to securing industry and government. Government and industry will be able to collaborate more effectively to address dominants threats and develop resilient solutions by looking beyond sector-specific solutions and across industry and applying risk management frameworks.
2. How did you get involved in the Cyber Readiness Institute?
In 2013, I worked closely with the National Institute of Standards and Technology (NIST), on the development of the Voluntary Cybersecurity Framework. Through my work with NIST on the Framework, I was appointed by Secretary Pritzker and President Obama to serve as the Executive Director of the Commission on Enhancing National Cybersecurity. The Commission was extremely fortunate to be comprised of accomplished individuals, with tremendous experience in national security and cybersecurity. As the conclusion of the Commission approached, the Vice Chair, Samuel J. Palmisano, two of the Commissioners, Ajay Banga, CEO, Mastercard, and Peter Lee, Corporate VP, AI and Research at Microsoft, and I began having discussions about how to continue the important work of the Commission. Ultimately, we identified the needs of small and medium-sized businesses in cybersecurity to be a critical issue that hadn’t been effectively addressed. We were fortunate to have Secretary Pritzker join our effort and engage Satya Nadella, CEO, Microsoft, to launch the Cyber Readiness Institute in July 2017.
3. Small and medium-sized businesses have often been overlooked when discussing cyber-security. Why is this the case?
Small and medium-sized businesses have not been intentionally overlooked. Many policies and approaches identify small and medium-sized businesses as a critical constituency. The challenges lie in defining the most effective ways to support these businesses. We know that SMBs have more in common with other SMBs across sectors than they do with larger companies in their own sector. This knowledge makes sector-specific organizations less constructive for SMBs. We can also draw a parallel to pediatric medicine. For a long time in the medical field, we assumed we could apply adult medicine to the treatment of children – the same approaches but reduced to adapt to children. We have taken a similar approach to SMBs. We tend to think that we can apply the approaches to large corporations to SMBs. But, that is not the case – we need to construct approaches and policies specifically designed for SMBs. Additionally, when developing policies to help SMBs, we need to not only provide the solution, but specific guidelines for how to execute the solution.
4. Is there a responsibility for larger companies to share cybersecurity best practices with small businesses in their value chains?
We are living in a world of growing interdependencies. A single company can no longer firewall its own security and expect that the actions of others won’t impact that business. One of the reasons why we need to be addressing the security of our nation’s infrastructure by examining cross-sector solutions is because the definitions around what is critical are becoming more blurred. The emergence of the Internet of Things (IoT) and all the devices that fall within that broad category means that non-critical devices can, in some way, ultimately be connected to critical infrastructure. We saw this impact with the Dyn cyber attack using the Mirai botnet in the fall of 2016. A less secure device can become connected to infrastructure easily. We can apply this understanding of interdependencies to the relationship between large and small businesses. A large company relies on small businesses throughout its value chain, to deliver goods and services. If a small business in a value chain is compromised in some way, that compromise will impact the ability of the large corporation to deliver its goods and/or services. Therefore, it is both in the interest of greater good and company well-being for large corporations to help small businesses become more cyber secure, cyber aware, and cyber ready. At the Cyber Readiness Institute, we are fortunate to have the commitment of global companies, including Mastercard, Microsoft, Maersk, Citi, ExxonMobil, and Acer, to helping small businesses, globally, improve their cybersecurity.