Cybersecurity leadership in an era of public-private partnerships
SecurityScorecard recently hosted a webinar with our Co-founder and CEO, Dr. Aleksandr Yampolskiy, and Sue Gordon, the former Deputy Director of National Intelligence and SecurityScorecard board member. Gordon drew on her experience as a key advisor to the President and National Security Council to discuss the shared responsibility between public and private organizations in combating cyber threats, the concentration of cyber risk, and the value of easy-to-understand cybersecurity metrics.
The webinar kicked off with a reference to a 2022 article Gordon co-wrote with Eric Rosenbach in Foreign Affairs entitled, “America’s Cyber-Reckoning: How to Fix a Failing Strategy.” In it, they wrote: “Companies are in the cross hairs of hackers of many stripes, and corporate leaders have become de facto national security decision-makers. To create shared norms and encourage the independent enforcement of cyber-protection standards, at least by publicly traded companies, Congress should consider creating a cybersecurity analog to the Securities and Exchange Commission, which protects the integrity of markets, and a version for cyberspace of the Generally Accepted Accounting Principles, which shape the public disclosures that companies must make.”
Two years later, Gordon still agrees with that statement, noting that we still haven’t made much progress. Organizations in both the public and private sectors are becoming the targets of cyber threat actors. Because of their interconnectedness, cyber leaders and policymakers must come together to increase their collaboration in order to protect the data of digital ecosystems. Nation states, ransomware groups, hacktivists, and other threat actors are constantly seeking ways to penetrate the digital walls. As we’ve seen with MOVEit, Change Healthcare, and countless other cyber incidents, if one company or organization suffers a breach, it can spread like wildfire across the digital supply chain.
Combatting single points of failure in the supply chain
According to our Global Cyber Resilience Scorecard study, ten threat actor groups are responsible for 44% of global cyber incidents. The prevalence of just a few groups and vendors being responsible for potentially large-scale supply disruptions points to much larger concerns about the concentration of risk in the global economy. Gordon pointed out that, during times of peace, we often overlook how dependent we become on certain goods and services. The period between the Cold War and the COVID-19 pandemic were times of relative peace and abundance, when the world became much more globalized and efficient for businesses and organizations. For a long time, we never saw the downside to these “halcyon days” of immediate availability and interconnectedness. But when the unexpected occurs (i.e., a global pandemic), all of a sudden, we realize how much we rely on products and services that are not locally controlled. And the resources that are controlled by our adversaries wake us up to how vulnerable some of our supply chains and systems are.
For instance, to reduce U.S. reliance on foreign-made semiconductors, the Biden Administration signed into law the CHIPS Act, to allocate $50 billion towards the domestic semiconductor industry. This piece of legislation is a step in the right direction to enhancing the resilience of not only the American supply chain, but the global one as well.
More to that point, a whopping $4.6 trillion of goods go through the US ports, which accounts for 26% of the US economy. But interestingly, 80% of the cranes that unload the merchandise are manufactured in China. In essence, this means that one quarter of the US economy is directly dependent on China, whose relationship with the US has grown increasingly hostile in recent years. In the event of a conflict, the delivery and safety of those cranes isn’t guaranteed, which is why organizations must seek to diversify their risk.
“…when things go wrong, if you think a single person on the top is going to be making all the decisions, you will not be making good decisions. You’re going to be slow to do it.”
-Sue Gordon
Communication from the top down
Gordon made the point that organizations need to constantly assess the health and security of their supplier ecosystems. This means not only knowing where you’re getting your supplies from, but trusting where those resources are coming from, and understanding just where the weaknesses lie. Circumstances can change quickly due to a number of factors, so organizations need to stress test their supply chains and identify areas of improvement.
When it comes to decision-making, both Yampolskiy and Gordon agreed that there’s often a divide between the person doing the deciding and the person doing the actual work. Therefore, it’s key for organizations to have clear channels of communication in place long before a cyber incident or crisis occurs. Or as Gordon put it: “The best thing you can do is be clear, open in advance, and then exercise how you want your organization to work. Because when things go wrong, if you think a single person on the top is going to be making all the decisions, you will not be making good decisions. You’re going to be slow to do it.”
“I so believe in what SecurityScorecard is doing. I think there is only benefit to people being able to see what their exposure is in a measurable, actionable way.”
-Sue Gordon
The rising threats to critical infrastructure
The conversation then shifted into measuring cybersecurity with metrics that matter. Gordon recommends the following cybersecurity metrics: In Gordon’s words, “I so believe in what SecurityScorecard is doing. I think there is only benefit to people being able to see what their exposure is in a measurable, actionable way.”
Many critical infrastructure institutions are vulnerable to cyber incidents due to: increasingly sophisticated threat actors; outdated technology and legacy systems; inadequate security measures; insider threats; insufficient training and awareness; resource limitations; and more. Public and private organizations alike would benefit equally from security ratings, especially in their capacity to strengthen critical sectors like healthcare, telecommunications, and energy.
Healthcare sector
The cyberattack on Change Healthcare has forced the company to disconnect over 100 systems, medical claims processing ground to a halt. This disruption has brought many medical providers to the brink of closure. SecurityScorecard’s recent Global Third-Party Cyber Breach report found that more than 29% of all breaches are attributable to a third-party vector. And the healthcare industry has emerged as the most popular target for third-party breaches, most likely because this field has more numerous, diverse, and specialized third-party relationships that enable third-party breaches.
Telecommunications sector
Telecommunications, Internet Service Providers, and Cloud Providers are some of the most critical sectors on the planet, whose reliance on vast networks of third-party vendors, partners, and service providers means a sprawling, hard-to-manage attack surface. A staggering 85% of the top telecom companies in the U.S., U.K., France, Italy, Denmark, and Germany experienced a third-party data breach in the past 12 months alone. This unique industry needed a comprehensive cybersecurity approach tailored specifically to the sector. Because of this, SecurityScorecard introduced the industry’s first security ratings developed exclusively for these providers to address industry feedback and requests for a tailored approach for their unique digital ecosystems
Energy sector
SecurityScorecard’s recent report on the energy sector found that 90% of the world’s largest energy companies experienced a third party breach in the past 12 months. Just like telecommunications and healthcare, the global reliance on the energy sector elevates it as a prime target for cyberattacks. Attacks on these sectors not only result in financial losses and disruptions but also threaten personal safety and national security.
These industries—and the amount of data they collect—are particularly worrisome because of how much we rely on them. Security ratings enable us to identify potential weak spots and bolster our collective cyber defenses.
As a board member, Gordon understands the need for easy-to-understand key performance indicators (KPIs) to communicate cyber hygiene. Not all executives and board members are well versed in cybersecurity language, so providing them with simple and straightforward benchmarks is a great way to present a clear picture of cybersecurity goals and performance.
Cyber regulations and national security
The conversation shifted to the U.S. Securities and Exchange Commission’s (SEC) new cybersecurity rules that require publicly traded companies in the U.S. to disclose material cybersecurity incidents within four business days of determining whether the incident is material to the company’s financial performance. While some may view this as an overreach, Gordon applauded the commission for its willingness to provide a standard protocol.
Cybersecurity leaders in both the public and private sectors need to ensure they have trustworthy, reliable data that measures cyber resilience and effectiveness. The new regulations from the SEC and the EU (DORA) represent a shift away from decades-old voluntary compliance guidelines to a set of more aggressive regulatory approaches. The emphasis on measuring and communicating cybersecurity risk at every level of an organization is growing. And it’s not just the job of the security team, either — if everyone makes cybersecurity a priority, national security and our collective cyber resilience will improve.