If anything has been learned in the last year as it pertains to cybersecurity it’s that IT itself has been weaponized. That’s not necessarily new information for many security professionals. But as more IT and business leaders come to that realization the tenor and tone of the conversation about IT itself has changed. Increasingly, governments around the world have come to understand that every business they digitally interact with represents a vector through which their national interests can be potentially subverted.
A new Global Security Index report this week published by the United Nations underscores how seriously governments are starting to take this threat. The report finds that 38 percent of the 192 countries that are members of the International Telecommunications Union (ITU) that operates under the auspices of the UN have published a formal cybersecurity, while an additional 12 percent are in process. Of course, the converse of that statement is that 50 percent of the countries that participate in the ITU have not published one.
While publishing a strategy may represent some form of progress every cybersecurity professionals knows that implementing a cybersecurity strategy requires more than words laid down in a document. The report specifically cites Singapore, United States, Malaysia, Oman, Estonia, Mauritius, Australia, Georgia, France and Canada as the nations most committed to cybersecurity.
The primary reason IT and business leaders need to take note of these efforts is just about every business these days has ties to one government agency or another. As cybersecurity strategies of various countries move beyond position papers the cybersecurity policies they will put in place will become stricter. If a business wants to be involved in any type of government contract they should expect to have to regularly pass any number of cybersecurity audits. The more agencies and countries the organization does business with the more frequent that testing will become.
Naturally, business and IT leaders don’t especially care of audits in any form. The issue many of them will have to come to terms with, however, is that cybersecurity audits will soon no longer be an event. Instead of gearing up to pass a test one time on a specific date, cybersecurity testing will soon become an ongoing process involving lots of continuous testing. Even a government bureaucrat intuitively knows that a compliance certificate stops having any value one minute after it’s been issued. In the increasingly fluid world of IT there’s no such thing as a steady state. Frequent updates to applications large and small are the new norm.
In times of war, governments put a lot of resource into educating their people on the dangers of how “loose lips can sink ships.” The modern cybersecurity version of that admonition is loose data can now sink entire countries. Most business and IT leaders would be amazed to see what intelligence operatives can piece together from a few random government purchase orders that haven’t been encrypted. In the digital age, some state of cold war between competing nation states is now a permanent condition. Organizations that don’t have the resources required to mount an effective cybersecurity defense will be bypassed by governments around the world in favor of those that do. That may result in organizations that depend on government contracts ceasing to exist. As unfortunate an outcome that may be, however, it’s simply a risk that many government officials are coming to understand they can’t afford at any cost.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.