Since the first concerted cyberattacks in the 1980s, cybersecurity has been a growing commercial industry. Today, there are numerous mechanisms for protecting, uncovering, defending, and recovering from cyberattacks. We explore the five key drivers of change and actors that will implement them.
Cybersecurity regulation provides safeguards and directives that protect the use of information technology and data systems. Regulation often remains siloed within countries and driven by a specific sectoral or individual security need. However, such regulation remains a critical lever in driving businesses and organizations to establish their own protection controls.
For example, to promote efficient coordination, the Global Risk Institute sketches a plan for the financial-services industry to cooperate in the response to cyber threats. By ensuring that all stakeholders reliably cooperate in communications, contingency planning, and threat responses, cyber resilience to systemic cyber risks can be greatly increased. In another example, the New York State Department of Financial Services introduced a comprehensive set of requirements for all covered entities in the state, holding senior management to account for assessing and dealing with cyber risk.
However, regulators need to balance demands on cyber-resilience with the amount of additional stress placed on organizations. Compliance costs for security teams to submit regulatory reports have mounted considerably. Furthermore, if regulation is not well aligned across jurisdictions, possibly due to country-specific policy goals, fragmentation will add compliance stress. Solving these trade-offs via entities such as the International Code of Conduct for Information Security proposed to the UN in 2015 will be the main challenge for regulators that strive to effectively reduce cyber-risk.
Testing. Centrally coordinated industry/ institution level testing will help validate cyber resilience and response readiness.
Regulatory conditions. Regulators can stipulate which cyber-risk measures or mutual agreements should be followed. Collaboration through inter-governmental bodies can drive regulatory harmonization across borders. Simplification of regulatory reporting, aligning only key requirements to sectoral needs, will drive down implementation costs.
Well-designed industry standards have the potential to raise awareness and improve practices by aligning best practices, commercial requirements, and capabilities.
At the less-intrusive end of intervention, common standards have been introduced by the application of frameworks, such as the NIST framework for addressing cyber risk. Potential drivers for this are cooperation within an industry and market leaders pushing for common standards. But more invasive methods are also possible, such as the Wholesale Payments Initiative developed by the Financial Systemic Analysis & Resilience Center (FSARC). This states that if a cyberattack disables a financial institution’s capabilities, competitors must provide backup resources to prevent systemic damage.
Guidance. Industry alignment, education, or best practices issued to a sector or industry can elevate the overall effectiveness and management of cyber risk. Common standards that go beyond a “checkbox exercise” can drive overall cybersecurity standards.
Certification. Qualifications or certifications earned by individuals or institutions can elevate the capabilities and visibility of standards within an organization. Industry associations have begun to issue such certifications, but uptake remains low.
To deal with rising costs of cybersecurity, mutualization enables many firms to develop cyber resilience. Businesses can set up partnerships and privately maintained utilities that provide services to increase cyber resilience. Conventional examples of this are Information Sharing and Analysis Centers (ISACs), and collective response plans and drills that pool resources to reduce damage and contagion from cyberattacks. Centrally mapping and testing the levels of members’ cybersecurity can reduce risk without an unreasonable increase in time and effort.
Mutualization can increase efficiency, but it requires several levers to drive alignment across industry stakeholders. Cost and effort, lack of senior oversight, and reluctance to share information are major challenges to making mutualization work.
Partnerships. Institutions contribute resources toward common solutions that provide services back to the group of contributing stakeholders. Solutions may involve sharing of sensitive and secure data, which requires highly secure infrastructure.
Utilities. Industry-maintained entities and joint ventures can provide services to the whole industry.
Governments set the environment in which the private and public sectors operate. Governments have a range of tools at their disposal for driving change toward cyber resilience, such as regulation, investments, incentives, education, and use of political capital. Increasingly, governments need to have a comprehensive cyber strategy that prescribes action and places a priority on cybersecurity.
A widely noted successful government initiative is the Israeli “Cyber Spark” cybersecurity ecosystem. Other initiatives include the UK DCMS ministry’s Cyber Security Month, the US Cybersecurity and Infrastructure Agency (CISA), and the European Union Agency for Network and Information Security (ENISA).
Laws & taxation. Adoption of frameworks or laws (such as taxes or tax breaks, and criminalization of lax cybersecurity) provides incentives and boundaries for enforcing cyber policy.
Investment & incentives. Direct funding and/or political investment in initiatives, programs, technology, or business propositions helps promote policy targets.
Education. National-education programs and societal/cultural awareness campaigns can change human behavior and career pathways.
Integrated cyber-risk management. Businesses and individuals need to take responsibility for their own cyber-risk management practices. However, governments can drive dialogue and engagement to prioritize cyber as a risk topic, making it as top-of-mind as driving safety.
Especially relevant to cybersecurity are technologies that change connectivity and processing of data—such as the internet of things (IoT), seamless connections, artificial intelligence (AI), innovative IT control systems, and increasingly powerful processing capabilities such as quantum computing.
While the impact of these technologies cannot be accurately predicted, it is safe to say that organizations will face new cybersecurity challenges and that regulators will need to write policy to shape the development of emerging technologies.
The number of cybersecurity startups using AI to combat corporate cybercrime show that some parts of the private sector are preparing for the cyber future. Government rule books—such as the UK interdisciplinary-research hub for IoT and the US emerging-technologies strategy—show that it is possible for the public sector to also shape emerging technologies.
Connectivity. Design solutions to address cyber risks associated with innovative technologies (AI, robotics, and control systems).
Processing. Design solutions to address cyber risks associated with increasingly powerful processing capabilities, such as quantum computing.