The Wall Street Journal has two articles today that are on-topic for Information Technology (IT) Security. The first is that the U.S. Defense Department has concluded that a cyberattack can constitute an Act of War, and thus be responded to using conventional measures. That isn’t a surprise at all, and I do think it is prudent to create a policy and set of rules in advance rather than wait for the “9/11” of cyberattacks to occur and then start debating about what our options are. No doubt in most cases we would want to respond to a cyberattack in kind, that is with a cyberattack of our own. But there will be cases where use of kinetic weapons is called for (e.g., a cyberattack by a state entity that causes significant loss of life) and we are just so much better off to think that situation through in advance.
The other article is far more conventional and points out that hacking of organizations is on the rise. While the article suggests that CEOs/CIOs are starting to pay more attention to IT Security, I have my doubts. They’ll give it lip service, but will they really make significant tradeoffs in IT spending or practices to favor security over productivity and ease of use? I doubt it. Will IT Security updates become regular parts of CEO staff meetings and corporate Board meetings? Will we start to see statements added to quarterly and annual earnings reports about steps organizations are taking to protect their information assets? I have my doubts. I guess one of the first things we can look for is if the CSO/CISO position is elevated to report directly to te CEO rather than to the CIO (or CFO, or even lower in the organization)). That would tell me the CEO is serious about taking responsibility for the organizations information security.