IWCE keynote Roger Cressey: If you’re reacting to a cyber attack, you’re too late

Cyber threats will never be eliminated, but cyber risks can be mitigated, according to Roger Cressey, NBC News’ counter-terrorism analyst and former presidential advisor to both the Clinton and Bush administrations.

Cressey addressed an audience of approximately 200 as IWCE 2015’s opening keynote speaker. He advised the varied group of industry professionals and public-safety leaders to get ahead of the cybersecurity curve and to start thinking about cyber threats proactively, rather than reactively.

The so-called Internet of Everything–the next generation of interconnectivity between traditionally non-computerized devices–presents myriad problems. Technology is moving faster than the security industry can keep up, which means cyber criminals always have the upper hand, Cressey said.

“How do we understand how all these connected devices operate in that Internet of Everything environment?” asked Cressey. “This is an enormous security issue.”

Interconnectivity means interdependencies, and interdependencies often mean weak links in the cyber-security chain, Cressey said. For example, a corporate firm could an extremely tight, sophisticated network, but it gives the office’s HVAC managers access to control thermostats remotely. If the HVAC company’s network doesn’t have the same stringent security requirements as the corporation, it becomes a liability.

This is exactly how the high-profile Target breach occurred, Cressey reminded the audience. Target reacted swiftly, and rectified the issue.

But in the case of Target, and of numerous high profile security breaches around the globe, it was the failure itself that prompted the action–a pattern that Cressey says is backward.

“If you are throwing [resources] at the problem after the fact, you are failing,” he said.

So what is the solution? “The first thing you have to do is admit you have a problem,” Cressey said.

Every organization needs to assume it will be attacked at some point.

“The most sophisticated networks, in government and out of government, are going to be compromised,” says Cressey. “That’s a reality.”

The right approach is to develop a plan before the attack happens to mitigate its inevitable impact. This shift in thinking about cybersecurity that public-sector and private-sector leaders must adopt.

“An investment in cybersecurity is not about preventing the breach,” Cressey said. “It is about adopting a risk approach that allows you to minimize the impact–the data manipulation and the data loss–and resuming business operations as quickly as you can.”