Strategy Discussion Topic Week 2; National Cybersecurity Strategy

Where should the power and responsibility of national governments begin and end in cyberspace?

Where does the responsibility of private firms begin and end in cybersecurity?

Where should the power and responsibility of national governments begin and end in cyberspace?

  • I believe that the national government’s power begins when the government needs to come up with international/global plans to reduce attacks and interference within cyberspace and collaborate with other governments when it comes to making cybersecurity plans. (International policies and action)
  • I believe that it ends with providing frameworks and a standard of the bare minimum requirements all security strategies must follow. (Starting at a national level/Providing the people with some direction)

Where does the responsibility of private firms begin and end in cybersecurity?

  • I believe that the private sector begins with making security frameworks for different sectors of information and security devices. These frameworks should have the highest prioritization on keeping specific data in different environments safe. (Specific rules and policies for the national level)
  • I believe that the private sector ends when they start to limit/restrict access to things that everyone has the right to access.

Management Discussion Topic Week 7; Risk Management

Please read the KMPG report in the link.

https://assets.kpmg/content/dam/kpmg/pdf/2014/05/cyber-security-not-just-technology.pdfLinks to an external site.

Which of the five mistakes, do you think, is more common in an organization/business of your choice? Which of the three options would be more challenging in taking action (risk assessment, changing organizational culture or determining budget)?

  • I think mistake number one is the most common and easily accepted. Most people spend their time doing what they studied or trained to do, so when someone is told to think about what another field is doing and actively apply that to their workspace, I feel like it can start a mental divide. The issue of computer security usually falls under the realm of IT, but what people don’t understand is that cybersecurity is something everyone must practice working. Having one department expected to deal with and manage the security of everyone when every person at the business is an attack vector is unrealistic and fantasy at best. This can also limit company goals that align with security policies, which can ruin a business. 
  • I believe that changing organizational culture is the hardest to take action on because that requires you to push for change on something that is deeply rooted within the company and all employees. Changing as few people’s minds is difficult already, but having to change a company’s mindset is something that almost seems out of scope. Things like teaching people how to be perceptive when clicking on links, receiving emails and false information, and changing how people view the internet can be a tough shift. Another change that is going to be very difficult is implementing cybersecurity practice days that coordinate with company head departments such as HR and department managers. Doing security checks such as sending fake spam emails and seeing who falls for them, doing monthly cybersecurity training, and showing constant support for cyber awareness campaigns can be hard to implement due to the coordination with team leads and higher-ups. In all, risk assessment and determining budget can be solved with a lot of determination and meetings showing growth and profit, but changing an organization’s culture requires meeting people where they are and trying to teach them new practices at all levels.

Concerns Discussion Topic Week 11; Cybersecurity and other Policy Concerns

The CISA Cybersecurity Strategic Plan FY2024 – 2026 presents a vision emphasizing collaboration, innovation, and accountability in the nation’s cybersecurity approach. Discuss the potential advantages and challenges of this three-pronged strategy, and consider its feasibility in the current cybersecurity landscape.

https://www.cisa.gov/sites/default/files/2023-08/FY2024-2026_Cybersecurity_Strategic_Plan.pdf

  • This document is a really detailed and oriented vision for upgrading security and shifting focuses on how we should react and respond to cyber threats.  The three-pronged strategy has many advantages, like hardening security by upgrading systems as a whole instead of just patching and making workarounds, upgrading the baseline security, and focusing on improving detection and mitigation measures. All of these are great in their own right but also have drawbacks within the real world. From a general sense we always have to look at the cost of integration for all systems they plan on upgrading, the time it’s going to take to improve all systems, what critical infrastructure will be down while improving systems, and how these systems will work with the current organization product/business. Any of these challenges can become a make or break for a project, especially the last one. If a company cannot interact with their work, they cannot continue business. Lastly, a challenge that isn’t as vital but is important is how users interact with the system. Upgrading security is great in all but when users decide to make it easier to bypass security measures, it can lead to easily exploited vulnerabilities. This plan is feasible, but I would think that the timeline would be a bit longer. With the collaboration between all agencies and how large this project is, I would assume that as long as all agencies work well with each other and all things are set in stone and planned out correctly, it could work, but that’s a perfect world view.

Policy Discussion Topic Week 15; Future of Cybersecurity Policy

The CISA Cybersecurity Strategic Plan FY2024 – 2026 underscores the ‘Whole of Nation’ mission in cybersecurity. Reflect on the roles and responsibilities of various entities under this approach, from individual citizens to governmental bodies. How can this collective strategy effectively mitigate cyber risks, and where might challenges arise?

Updated link:

CISA FY2024-2026 Cybersecurity Strategic Plan

On page 22 it talks about how on all levels we all need to practice cybersafety, but we all do it in different ways.

  • For the government, it says that they need to focus on “defining what it means for a technology product to be safe and secure…to help customers choose safe products and manufacturers”; having this could set proper standards of security for companies who place technology on the market. This would affect small businesses the most, though. If this is a hard-line rule and not a suggestion, funding/resources could be a problem.
  • For businesses, it says that collaboration for all businesses with the government is key. On page 11 it talks about how, through a “Joint Cyber Defense Collaborative,” they will work to minimize cyber risk and “execute cyber defense plans.” This is a great idea, especially since having everyone on the same page would mean no one is left behind, but my main concern is the different levels of expectation every company has. Some companies might push back on this collab due to different levels of security wants.
  • For citizens, making an informed choice on what they are buying is a huge part of our countries’ cyber safety. As consumers we buy things expecting them to not do anything but what they intend to do, but not doing enough research can hurt you. Just like how we can buy a bad product, we can buy a product with a vulnerability.