The Aspen Cybersecurity Group’s whitepaper ‘A National Cybersecurity Agenda for Resilient Digital Infrastructure’ calls for a systematic prioritization of improving cybersecurity, citing deep structural shortcomings at all levels of digital infrastructure. Improving cybersecurity is described to be as fundamentally important to society as bringing sewer systems was to 1800’s cities to deal with sanitation caused health crises, and deserves at least as much attention, priority and resources as those the US government committed to confronting terrorist organizations in the wake of 9/11.
Citing the huge growth in breach frequency and per-incident damage, improvements to cybersecurity are still being implemented on a piecemeal uncoordinated basis despite the enormous financial cost caused by cyber attacks that have touched nearly every organization at some point in the past decade.
One of the key areas highlighted for improvement is in ‘Measuring Cybersecurity’. The Aspen Group calls for the establishment of a Bureau of Cyber Statistics and points out the need for better assessment of the cost-effectiveness of cybersecurity frameworks and risk analysis tools.
Acknowledging a problem is the first step to resolving it. The Aspen Group is right to call out governments, corporations and other enterprises for allowing the cybersecurity problem to fester and grow to the point that it now poses a fundamental threat to the health, security and wellbeing of citizens, companies and governments globally.
The time is long past due to implement the type of systemic improvements that the Aspen Group and others such as the Cyber Solarium Commission propose.
As the sub-header of the section on Measuring Cybersecurity declares: ‘We can’t solve problems if we don’t know what works and what doesn’t.’ Many enterprises as well as investors, insurers and regulators struggle with this issue, as well as measuring the Return-on-Investment (ROI) of various elements of their cybersecurity program. While it is clear that better measurement standards and reporting requirements would help improve cybersecurity at both the individual enterprise and systemic levels, Cyberhedge has developed ratings that leverages a combination of operational + financial + cyber assessment that act as an ‘early warning’ system for companies to avoid financial losses due to cyber.
The consistent outperformance of companies highly ranked by Cyberhedge over companies ranked as ‘poor’ is market-based proof that cyber governance is measurable, and that it impacts market performance. The ratings also identify where companies are deficient, enabling them to target investment where it will generate the most improvement in cyber performance, and therefore the highest ROI.