The reality is, as it has always been, cyber security is most frequently addressed reactively, and hardly ever proactively. The hope is that, when mind-changing events do occur, they shouldn’t be too damaging. I recall earlier in my career when I, as the CIO, would year after year request a budget for a disaster recovery site. The request was rejected until there was a major, but scattered, power outage in lower Manhattan due to a fire in a substation. We fortunately were not impacted, but the building next to ours was without any electricity for about two weeks, and some of the tenants were pushed to the edge of bankruptcy. Within days I had my disaster recovery budget.
From various allusions in the press, the U.S. government has already had such mind-changing events, with the resulting CNCI (see my January 13, 2009 column) to the tune of billions of dollars. So far, incidents in the private sector have not apparently been severe enough (or may not have been detected or reported) to warrant such huge expenditures. If and when they do occur, then one can imagine the scramble to protect that which has already been violated. It is to be hoped that the building next door is affected and not us. But that’s a matter of luck, not design.
Popularity: 5%
