The state of Connecticut just released its first cybersecurity strategy. The well-rounded framework takes a comprehensive view of managing risk in today’s threat environment, and now the focus shifts to implementation. What will it look like, and how much of an impact will it have on Connecticut businesses?First, credit must be given to the team […]
Get Instant Access to This Article
Subscribe to Hartford Business Journal and get immediate access to all of our subscriber-only content and much more.
- Critical Hartford and Connecticut business news updated daily.
- Immediate access to all subscriber-only content on our website.
- Bi-weekly print or digital editions of our award-winning publication.
- Special bonus issues like the Hartford Book of Lists.
- Exclusive ticket prize draws for our in-person events.
Click here to purchase a paywall bypass link for this article.
The state of Connecticut just released its first cybersecurity strategy. The well-rounded framework takes a comprehensive view of managing risk in today's threat environment, and now the focus shifts to implementation. What will it look like, and how much of an impact will it have on Connecticut businesses?
First, credit must be given to the team that drafted the strategy. They managed to avoid many of the pitfalls that usually befall a government body trying to tackle a complex issue.
When Gov. Malloy first appointed a chief cybersecurity risk officer, Art House, last year, there was pressure to get something done, an approach that often leaves businesses with strict regulations and no guidance. Instead the strategy came first and the action plan will follow, an iterative approach that will give businesses an opportunity to help shape implementation.
Malicious cyber actors don't just threaten one industry, and by acknowledging the widespread nature of the potential impacts, the commission has taken a strong step towards raising the security level across the state.
Modern cybersecurity practices require more than a simple, technical solution. Technology is still a key component, but now it's about layering smart policies, people and plans, so an entire entity is resilient, not just defensive. By taking an approach centered on what the whole enterprise should be doing before, during and after an incident, the commission embraced this new reality.
Now comes the hard part. The devil lurks in the details, and the true, long-term impact of the strategy won't be realized until we see how implementation plays out. If it is too prescriptive, businesses will suffocate. If it's too flexible, nothing changes. Do you use carrots or sticks? Regulations or tax incentives? As the state grapples with this next step, it would be wise to look to the lessons learned from other state-level efforts.
Our neighbors in the New York Department of Financial Services (DFS) recently published a new regulation outlining a baseline standard of cybersecurity for all companies in the financial, insurance and banking sectors. While it doesn't cover the breadth of sectors like our new Connecticut strategy, there are still several key lessons our state can learn.
Be open to feedback
The first version of the DFS regulation was met with significant resistance. The business community viewed it as too prescriptive with unrealistic deadlines, but after a public comment period, DFS issued a final rule that reflected much of the feedback received. While no new regulation is going to be universally loved, this effort to listen and adjust led to a much better reception when the final regulation was published.
Require functions not solutions
The DFS regulation requires companies to address specific functions, rather than dictating specific solutions. For example, companies are required to establish access controls, implement continuous monitoring and adequately train their workforce, but DFS doesn't say exactly how these functions should be performed. Allowing companies the flexibility to determine the solutions that best fit their individual risk profiles, business objectives and resources maximizes their ability to comply.
Establish rolling deadlines
DFS established a rolling series of deadlines that allow the requirements to come online in a logical order. Requiring companies to rush and meet a single, arbitrary deadline encourages them to throw money at various solutions without having the space to thoughtfully think through a risk-based solution designed for their specific needs and resources.
Connecticut has taken a significant first step in securing our state from the impacts of a cyber attack. Establishing a strategy that embraces a robust, modern approach to cybersecurity across multiple industries will leverage our collective strength for long-term results. Now it's time to tackle the details. With such a strong start and the benefit of lessons learned, Connecticut is well positioned to secure our future without harming our economy.Â
Loren Dealy Mahler is the president of Dealy Mahler Strategies LLC, a Connecticut-based strategic communications firm that advises clients on cybersecurity issues, particularly related to crisis management planning and incident response.
