Who to blame when cyber security fails?

Widespread data breaches show clearly that a more a rigorous approach to cyber security is needed. That means clearly defining requirements – and then holdingcompanies and government employees accountable if those requirements are not met.  

Here are four ways to move toward that goal:

Build on existing cyber initiatives

In May 2021, President Joe Biden signed an Executive Order (EO) on Improving the Nation’s Cybersecurity. Mayer Brown, a global law firm, said the EO could “serve as a roadmap for Congressional cyber security legislation that could apply to most – if not all – of the [U.S.] private sector.”

Another example: Germany’s IT Security Act 2.0 lets country’s cyber security agency identify the customers of telecom operators. This allows the agency to notify victims in case of a data breach.

Enhance supply chain cybersecurity

Supply chains are vulnerable to cyber-attacks. One study found that over the past 12 months, 92% of U.S. organizations have experienced a cybersecurity breach stemming from vendor vulnerabilities. One-third of respondents said they had no way of assessing third-party vendor risk.

In response, the U.S. Department of Defense (DoD) launched a Cybersecurity Maturity Model Certification that all DoD contractors and their suppliers will be required to obtain. This model can be expanded to included companies not working for the U.S. government.

Improve global collaboration with mutual trust agreements

Cybersecurity is global threat that must be tackled multilaterally. Governments should sign mutual trust agreements committing them to a shared set of cyber norms – and they should be held accountable for nonconformance. Private companies could also sign such agreements with customers, and with the governments of the countries where they operate.

Remember that managing cyber-risk is a shared responsibility

Everyone – from IT managers to C-suite executives – must understand the importance of accountability. Cybersecurity procedures must be open to scrutiny so that it’s clear whether requirements are being met. Failure to meet them must result in real consequences to the offenders. For private companies – and for government employees – this could include publicly announced fines, loss of promotions and annual bonuses, as well as demotion, suspension or dismissal. 

Report is from Uganda CSPO Kevin.