The Colonial Pipeline attack is your boardroom wake-up call
Our approach to national cybersecurity is broken. And this didn’t just happen recently — cybersecurity has been broken for decades.
The ransomware attack against the Colonial Pipeline system occurred almost 17 years to the day after I testified before the Senate Subcommittee on Terrorism, Technology, and Homeland Security on cyber-risks facing critical infrastructure, particularly the industrial control systems (ICS) used to manage those infrastructures. And while there have been other incidents before this one that should have sparked radical changes in our approach to cybersecurity, I, like many other longtime observers, thought (perhaps naively) that this one would be the wake-up call our business leaders needed.
Whether or not we hit the perpetual snooze button once again remains to be seen. But there is a way forward to fix our broken system: Adopt a risk-led approach to cybersecurity that once and for all bridges the gap between cybersecurity and the business and aligns the entire enterprise to a North Star focus on what risks matter most to the organization.
The Significance of the Colonial Pipeline Attack
Everybody knew an incident like the one targeting Colonial Pipeline was coming. The warning lights have been blinking red for 20 years. It was only four years ago that the Russian threat group known as Sandworm took down the Ukrainian power grid. A year later, the NotPetya ransomware attack cost shipping company Maersk and FedEx $300 million each. There will be more Colonial Pipeline attacks on other critical infrastructures and businesses.
But what this event really demonstrates is the urgent need for business leaders and boards of directors to have a conversation with their chief information security officers about cyber-risk in terms they can understand. The loss from the Colonial Pipeline attack is enormous but also measurable. As regrettable as the event was, it may actually help some non-IT leaders understand cyber-risk. After all, that which is quantifiable is more actionable.
Cyber-risk should be viewed and treated the same as any other operational risk. Cyber threats are not hypotheticals — they are imminent and very real risks to businesses. However, without understanding that risk is a business issue, not a technical issue, critical infrastructure owners and operators will likely not focus their resources on the right things.
To read the complete article, visit Dark Reading.