Not If, But When

Federal cybersecurity expert shares framework for thinking about growing risk of cyber threats.

April 29, 2015

ANNAPOLIS, Md. – Attendees at this week’s Conexxus Annual Conference had the unique opportunity to hear first-hand from one of the government’s top cybersecurity experts, Brigadier General (retired) Gregory J. Touhill. Currently serving as the Department of Homeland Security deputy assistant secretary for cybersecurity operations and programs in the office of cybersecurity and communications, Touhill shared his expertise on the wide-ranging cybersecurity threats that affect America today.

“Cybersecurity is not a technology issue, it’s a risk management issue,” emphasized Touhill. “Let’s have a conversation about risk. It’s not just ‘geek’ stuff anymore, it’s now an issue in the boardroom. But it should also be a conversation in your dining rooms and in the classroom.”

He particularly cautioned attendees about the growing threat of personal identification information (PII) theft, referring to social security numbers and related information that can be easily found in health-care records and the like. “When your credit card gets hacked, there’s a cost but it’s finite and relatively short-lived,” Touhill explained, saying that the average credit card theft is resolved for the consumer in about three weeks. “Credit cards are not a long-term theft item for people who really want to make money. Health-care records are where it’s at.” He also noted that law firms are increasingly becoming targets of cyber attacks due to the sensitive nature of their communications.

Touhill shared a framework of five attributes for thinking about cybersecurity that has been developed by the National Institute for Standards and Technology:

  1. Identify what you have and identify the threats against those assets. Take a look at what you have through the eyes of a criminal. Information has a value, to you and to others.
  2. Protect against threats and vulnerabilities. You won’t be able to protect against anything unless you know what you have, and you won’t be able to protect everything.
  3. Detect when you’re under attack.
  4. Respond properly. You need to have a plan ahead of time.
  5. Recover and be resilient. Build in back-ups, be able to take a punch and keep going.

Touhill went on to advise attendees that every company should have a cyber response plan in place. “The time to respond to a crisis is not when you’re in the middle of it. The time is to plan ahead,” he cautioned, warning that within the next three years it’s likely that everyone in the room will be the victim of some sort of cyber incident

Advertisement
Advertisement
Advertisement