In the age of technology, the fight for cybersecurity often feels like a losing battle. We move three secure steps forward, developing new technologies and resources, only to find we are seven steps behind the hackers. With our minds on creating the next best thing, we can (and do) miss security needs of our new inventions. Vulnerabilities are born.
Admiral Michael Rogers, Director of the National Security Agency and commander of U.S. Cyber Command, recently stated at the 2015 Aspen Security Forum, "I believe that during my time as the commander of United States Cyber Command, I will be directed to deploy capability from U.S. Cyber Command to defend critical U.S. infrastructure either in anticipation of or in the aftermath of a significant cyber event. […] It's the 'when,' not the 'if,' to me."[1]
Honestly, it's the "when," not the "if," for all of us. With the increasing frequency of cyberattacks, it is difficult to feel safe in today's threat landscape. In the past year alone, I have received offers of "free identity theft protection" from both my health insurance provider and my phone company due to their own costly data breaches. We are not safe anymore.
As daunting as this present situation feels, our story has already been told through tales of unwinnable battles at the Black Gate of Mordor, against the Galactic Empire, for freedom in 1776, and beyond. Darkness looms before us and options feel limited to be destroyed or die fighting.
Yet, this is never the end of the story.
As J.K. Rowling observes, "We are only as strong as we are united, as weak as we are divided." The strength of unity in the face of impossible hardship is a powerful thing. Through unity and great leadership, unwinnable battles become blockbuster movies.
While guidance and regulation are not as fun to read as the words of great storytellers of yore, our leaders are doing their best to provide resources and tools for this uphill battle. The FFIEC encourages banks and credit unions alike to join with information sharing agencies, such as FS-ISAC. The FFIEC has also provided resources for financial institutions to use in preparation for this fight, such as the recent Cybersecurity Assessment Tool.
Admittedly, all of this "help" can feel overwhelming. If you don't know where to start, then start simple and use the Cybersecurity Assessment Tool to see where you stand. You can't protect yourself unless you know where you are vulnerable. On their website (https://www.ffiec.gov/cyberassessmenttool.htm), the FFIEC gives some specific steps to help you do this.
· Step 1: Read the Overview for Chief Executive Officers and Boards of Directors. This document is a quick five pages. It's a brief introduction to the tool and it talks about things like roles and responsibilities. It's good to know your place in the team.
· Step 2: Read the User's Guide. At 10 pages in length, this document is a little longer, but it is still very manageable. This is your plan of action. It defines and explains how the assessment works.
· Step 3: Complete the Inherent Risk Profile. This can be thought of like your offensive strategy. Answer the 39 questions to get a good idea of what you have to offer.
· Step 4: Complete the Cybersecurity Maturity section. Walking hand in hand with your offensive strategy, this section has a series of 494 questions to talk about what you do to protect yourself (i.e., your defensive strategy).
· Step 5: Interpret and Analyze the Results. This is the part where you compare Step 3 and Step 4 to make sure you have the maturity required for the risk you maintain. A Jedi wouldn't go into battle without a lightsaber, so why would we try to offer products and services that we can't protect?
Epic battles are never easy, but preparation goes a long way in ensuring victory. Hopefully, our present story will end like many of my favorite stories and we all will live securely ever after.
Alyssa Pugh is a Security+ certified Tandem Software Support specialist for CoNetrix. Tandem is a security and compliance software suite designed to help financial institutions develop and maintain their Cybersecurity Assessments and overall Information Security Program. To learn more about how CoNetrix can help you with these areas, visit our website at www.CoNetrix.com or email info@CoNetrix.com.
[1] http://aspensecurityforum.org/wp-content/uploads/2015/07/Beyond-the-Build-Leveraging-the-Cyber-Mission-Force.pdf
