By Kevin McDonald
The U.S. government has been very public about its concern for national cybersecurity. There have been grandiose speeches, presidential declarations and several attempts by the legislature to pass new cybersecurity laws.
Private companies should be responsible for the public interest and implement precautions to minimize security failures that potentially undermine national defense.
But the problem with America’s national cybersecurity strategy is bigger than one-off hacks or data thefts. Crimes perpetrated by the likes of Edward Snowden, Chelsea Manning and the individual(s) who committed the alleged leak of the CIA’s highly sensitive cyber warfare tools have resulted in mind-blowing losses.
Beyond those headline grabbers is a problem that gets less attention but poses a significant risk to critical national assets: the fact that private sector businesses operate — but do not adequately protect — a vast majority of the nation’s critical infrastructure and data.
The federal government, and even the largest private sector enterprises, spend billions on cybersecurity investment but fail to extend those efforts into the SMBs that do much of the legwork. Laws are passed that promise to protect sensitive government information and “critical” systems, but the regulations are fine-tuned to work for the business community, effectively neutering enforcement mechanisms. Until there are real ramifications for cybersecurity failures in government and private sector entities that support the government, we will continue to see national security erode.
Consider, for example, the fallout from a 2013 report that found designs for some of the most sensitive, advanced U.S. weapons systems were hacked by a foreign country. Although it is a serious issue that those weapons systems are now compromised and have likely been duplicated by at least one foreign military, there is no sign of any punishment for the private companies that allowed the theft in the first place. In fact, the companies and their subcontractors that made the stolen systems will ultimately benefit from the espionage: There are a limited number of prime contractors that can perform this work, so the companies from which the systems were stolen will most likely build any replacement systems, if they have not already done so. There is no evidence that the contractors have lost work or otherwise paid for their failure. Until the cost of failure is higher than implementing real security technology, we will continue to see poor choices that lead us to cybersecurity failure.
Lack of private sector cyber accountability
I first wrote about the potential for a digital D-Day in 2005, then again in 2012. In the years since, we have sadly not come very far in advancing cyber protection of our most important systems. We are still allowing the private sector to decide what assets are critical and how they should protect them. This is true even where their product, service or infrastructure has a direct role in our national cybersecurity strategy and the U.S. government’s operational continuity.
Private companies should be responsible for the public interest and implement precautions to minimize security failures that potentially undermine national defense. Cybersecurity professionals who falsely attest to security should be held accountable in the same way business executives are held accountable when their companies violate financial regulations.
To continue reading more of the original article on Tech Target, click HERE.
Kevin McDonald, COO & CISO - Alvaka Networks
Kevin B. McDonald is the chief operating officer and chief information security officer at Alvaka Networks. Kevin is a trusted technology and security practitioner and public policy advisor to some of America’s most influential people and organizations. He advises corporate executives, federal and state legislators, law enforcement, high net worth individuals and other business leaders. He is a sought after consultant, writer, presenter and trainer on the issues surrounding personal, physical and cyber security, compliance and advanced technology. Kevin has written for and been interviewed by dozens of national publications and on major television, radio and digital outlets.
Chairman, Orange County Sheriff/Coroner’s Technology Advisory Council (T.A.C)
Member, OC Shield
Member, FBI InfraGard
Member, O.C. Home land Security Advisory Council (OCHSAC)
Member, US Secret Service’s LA Electronic Crimes Task Force (LAECTF)
Smoke testing is a term used to describe the testing process for servers after patches are applied. 
Estimating an average time for patching servers and PCs can be a bit tricky. It can vary from one month to the next, depending upon the number and complexity of the patches released by your software vendors. You must consider all versions of operating systems and have a complete inventory of all your application software to do this job correctly. Our experience has shown that manual patching of systems takes on average of about 1.5 hours each.
This is a basic cost calculator for you to compute your typical monthly cost for patching your servers, PCs, laptops, tablets and associated application software. It also forms the basis for you to begin calculating your Return on Investment for software patching, or for comparison with alternatives to the manual process of patching operating systems and application software—such as Patch Management as a Service, also known as Vulnerability Management as a Service.