This morning President Obama announced that he would be appointing a Cybersecurity Coordinator. The appointment is one of the many recommendations of the 60 day cyberspace policy review (PDF) commissioned in February. Along with publication of the review itself comes a list of the papers that in part informed the reviewers.
The review itself outlines 10 near term goals for the US Government and while many are concerned with governmental or international policy there are two that are just as applicable to the safe and secure operation of an enterprise network.
Initiate a national public awareness and education campaign to promote cybersecurity
Education should be a key part of any security strategy. One of the largest security risks in any organization is the connection between the keyboard and the chair. It is undoubtedly true that there are many users who will not understand or care about network security. However, changing the behavior of those who do understand will reduce your risk, which is the purpose of security measures. No single policy, education program or technology solution will provide complete security, each must be used together as part of a coherent strategy to secure your network.
Prepare a cybersecurity incident response plan
To quote President Obama: “ad-hoc response will not do”. Despite your efforts to minimize risk there will almost inevitably be security incidents on your network that require a response. Planning that response in advance will lead to a more calm and controlled incident. Last year SANS Internet Storm Center published a series of articles about preparing for and responding to security incidents during their Cyber Security Awareness Month. In fact some data protection laws, such as the one in Massachusetts, require a “comprehensive, written information security program”.
It is refreshingly honest for the US Government to admit that “We are late in addressing this critical national need and our response must be focused, aggressive, and well-resourced.” Unfortunately many other organizations are also well behind when it comes to implementing good security practices. If yours is one of them perhaps this is a good time to rethink your security strategy.
Image source : Randy Son Of Robert’s Flickr photostream (Creative Commons 2.0)