In the last week I’ve had two calls with companies deciding how to respond to the cybersecurity letter that Sen. Rockefeller sent to the CEOs of Fortune 500 companies. The deadline to respond is 19 October.
CEOs are not required to respond, and with the demise of the Cybersecurity Act of 2012, it’s tempting not to answer. However — as I noted in my first take on the Cybersecurity Act, this issue is not going away, and if you want to protect your standing to comment on future legislation and regulations, then at least a considerate reply is in order.
The White House is working on a draft executive order on cybersecurity, which is likely to include a rewrite of HSPD-7. That rewrite was leaked in September. And now Secretary of Defense Leon Panetta is stepping up the beltway rhetoric on cybersecurity – using the cyberattacks on Aramco in August as evidence of the threat.
So, what’s a CEO to do? It’s up to each CEO, of course. You should consult your general counsel and your CISO. If you don’t know know who your CISO is …, well it’s not too late to meet him or her.
Also, consult your Washington representatives — if you don’t have one, that’s fine. Call the head of your industry association, and find out what they’re recommending as a response.
If you do reply, review your letter against the following principles. Any future regulations should be:
1 — Risk and performance based
2 — Industry specific
3 — Voluntary to the extent possible
The bottom line here is that one sized does not fit all.
For CEOs who want to know what a great cybersecurity program should look like, I urge you to talk to my IT security colleagues Earl Perkins, Tom Scholtz, John Pescatore, and others who can help you evaluate your cybersecurity maturity and where to focus on improvements.
Note — I’m just the stray policy wonk at Gartner who happens to live inside the Capital Beltway, and in the interest of full disclosure my cybersecurity interest is primarily at the national policy, not the enterprise program level. Many years ago Richard Hunter and I ran the first ever national cybersecurity wargame, Digital Pearl Harbor.