Print this page Tell A Friend Add to Favorites

Business continuity strategies for cyber defence: Battling time and information overload

John Streufert, Chief Information Security Officer, US Department of State


Abstract
Can the same numbers and letters which are the life blood of modern business and government computer systems be harnessed to protect computers from attack against known information security risks? For the past seven years, Foreign Service officers and technicians of the US Government have sought to maintain diplomatic operations in the face of rising cyber attacks and test the hypothesis that an ounce of prevention is worth a pound of cure. As eight out of ten attacks leverage known computer security vulnerabilities or configuration setting weaknesses, a pound of cure would seem to be easy to come by. Yet modern security tools present an unusually consequential threat to business continuity — too much rather than too little information on cyber problems is presented, harking back to a phenomenon cited by social scientists in the 1960s called ‘information overload’. Experience indicates that the longer the most serious cyber problems go untreated, the wider the attack surface adversaries can find. One technique used at the Department of State, called ‘risk scoring’, resulted in an 89 per cent overall reduction in measured risk over 12 months for the Department of State’s servers and personal computers. Later refinements of risk scoring enabled technicians to correct unique security threats with unprecedented speed. This paper explores how the use of metrics, special care in presenting information to technicians and executives alike, as well as tactical use of organisational incentives can result in stronger cyber defences protecting modern organisations.

Keywords:
cybersecurity, risk, metrics, change, technology, executive


John Streufert joined the US Department of State in July 2006 as the Chief Information Security Officer and Deputy Chief Information Officer for Information Security. His tenure has been marked by improved grades on information security as assessed by US Congress and the creation of a leading continuous monitoring programme. In 2010, Mr Streufert was named Chief Information Security Officer of the Year by Government Executive magazine. In 2004 Mr Streufert received the Distinguished Presidential Rank award and obtained the highest IT security score of the federal government as assessed by Congress. Mr Streufert previously was Director of Information Resources for the Federal Crop Insurance Corporation, Naval Shipyards and Naval Sea Systems Command. Mr Streufert graduated from of the Maxwell School of Public Affairs, Syracuse University (MPA) in 1985, and St. Olaf College (BA) in 1979 with one year at Harris Manchester College, Oxford as an exchange student.


If you wish to read the full text of the article you will need to subscribe.