Have you noticed how everyone and their Aunt Tilley are sending advice on what to do about cyber security to president-elect Obama? Let’s look at a couple of these offerings and then I will be so bold as to refer to some advice of my own.
Perhaps the most highly publicized effort is that of the Commission on Cyber Security for the 44th Presidency set up in October 2007 by the Center for Strategic and International Studies (CSIS). A preview of the Commission’s recommendations is to be presented at a December 9, 2008 session of the SC World Congress in New York. So far, the only output from the Commission, which I have seen, has related to the organizational structure of the cyber security function within DHS. In fact, the advice was that it shouldn’t be in DHS, rather it should reside in the White House, as described in Greg Carlson’s September 21, 2008 article “Experts urge overhaul in cyber security management” at www.federaltimes.com/index.php?S=3733579 That may well be an issue, but there are many others. Let us hope that the final report, which is due out in November 2008, will provide substantive further guidance. As I wrote in my GRC columns, good risk governance does not guarantee effective risk management.
By the way, if you hang around the conference for the second day, you can hear Jennifer Bayuk, Dan Schutzer and me talk about the myths of information security. This panel is in advance of the publication of a book on the topic, which we three have co-edited, called Enterprise Information Security and Privacy (Artech House, March 2009) … essential reading for the next president perhaps!