This week, I joined the Silicon Valley Leadership Group for a visit to Capitol Hill. The group had asked me to share a few thoughts with congressional leaders on how cybersecurity policy affects cloud software companies like my own, MetricStream. We met with congressional leaders who are grappling with cybersecurity issues. House Majority Leader Kevin McCarthy, Homeland Security Committee Chairman Michael McCall, and Representative Patrick Meehan all demonstrated a depth of knowledge on cybersecurity, and how it is affecting businesses. They were focused mostly on cyber intelligence sharing between the federal government and industry, and between companies. To remove roadblocks to sharing, Congress is considering bills from the House and the Senate that will provide anti-trust liability protections to companies that voluntarily share cyber intelligence. Privacy advocates are justly concerned with sharing of information, and protections are being built into the proposed legislation. Whether those protections are adequate is a political issue that is not easily resolved, but regardless some form of a cyber intelligence sharing bill will likely pass this year. There are several other cybersecurity policy issues remaining, and I expect this bill will break a logjam that has existed on critical infrastructure protection and data breach legislation. More legislation will follow in the current Congress, and that will be mirrored in the EU and other jurisdictions.
While new rules will confront GRC leaders with more requirements, frameworks engendered by those rules like the NIST Cybersecurity Framework are establishing the foundations on which digital business depends. The many opportunities from the digitalization of business can be realized when our GRC programs are robust enough to ensure our organizations’ resilience in the face of new cyber risks, and our ability to meet the new requirements of what is likely to be a rapidly evolving regime of cybersecurity regulations. CROs, CCOs, CIOs, and CISOs will need to work out their own policies for cybersecurity and privacy that account for the variations in laws between different jurisdictions around the world. Cyber risks do not respect geographic boundaries, and in fact bad actors take advantage of those boundaries to protect themselves from discovery and prosecution, seeking havens in locales where enforcement is weak. Companies also find themselves in the unenviable position of being in the midst of cyber wars, and these are wars that will not stop regardless of new rules. While industry, civil liberties, and government leaders work out national policies and new regulations on cybersecurity, it will take real leadership from GRC professionals to interpret these developments and keep their organizations ahead of the curve.