Commerce Secretary Penny Pritzker on Wednesday called on the nation’s technology sector to help develop ways and metrics that companies and organizations can better understand and manage their cyber security risks.
Citing a poll conducted by the NASDAQ [NDAQ] electronic stock exchange, Pritzker said more than 90 percent of board members in companies with cyber vulnerabilities “can’t interpret their cyber security reports.” Not only do corporate executives and board members struggle to understand the technical terms related to cyber, she said executives don’t “have metrics to answer questions like ‘How costly would a disruption to our business operations be? What are the measurable benefits of one cyber security investment versus another? And what kind of employee training or technical upgrades are the most cost effective?”
Pritzker spoke in Silicon Valley at the annual meeting of the National Security Telecommunications Advisory Committee (NSTAC), which provides the government industry advice in areas of availability and reliability of telecommunications services. It was the first annual meeting of the NSTAC held in Silicon Valley as part of the Obama administration’s aggressive outreach to America’s high-tech areas.
Pritzker said that one vehicle the nation’s high technology sector can provide input through is President Obama’s new Commission on Enhancing Cyber Security, which recently stood up and includes industry, academia and former government officials. The commission will deliver recommendations to the president by Dec. 1 on actions to strengthen the cyber security posture of the public and private sectors.
Corporate chiefs use numbers, projections and understanding of profit and cost centers to run their companies but they don’t have metrics on cyber security, Pritzker said. It’s only recently that costs are beginning to be understood of data breaches where the theft of personally identifiable information but overall “mature actuarial calculations do not exist for underwriting of disruptions to business operations due to cyber attack, intellectual property theft from network breaches, or damage from corporate espionage through the Internet,” she said.
“I know that good risk management requires incisive and discerning data,” Pritzker said.
Marc Andreessen, co-founder of the Silicon Valley venture capital firm Andreessen Horowitz and co-founder of the former Internet browser company Netscape Communications, offered Pritzker technologies from two companies in his firm’s investment portfolio that can help companies better understand their cyber needs and vulnerabilities. Seattle-based Apptio provides dashboards for information technology spending and system utilization within organizations, he said.
Tanium, which is based in California, lets organizations know where different applications are within their enterprises and gives high-level control over their IT assets such as verifying patch updates or turning off some applications, Andreessen said.
Peter Fenton, a general partner with the venture capital firm Benchmark, said in the high-tech sector information sharing about cyber attacks happens quickly but suggested this sharing could be more “systematized” and at faster speeds with the government’s help.