Just imagine – if at the doors and windows of every corporate office, retail location or facility your company maintained, there was a press – an aggressive crowd of organized criminals, and an assortment of con-men, delinquents and protesters – all pushing to gain entry.  Imagine that this wasn’t limited to your own operations – but up and down the block and throughout the region – impacting of every business, of every size in your locale.

What if in this cacophony, it was up to the building security desk to create a narrow path through this chaos – and to reinforce and secure it as far as their budgets allowed.  Would we reasonably expect them to sort out legitimate visitors, and then safely and expediently manage their ingress \ egress – all while the majority of the individuals they interrogated were malicious?

As much as I truly respect my blue blazered and lanyard wearing colleagues – this would be ridiculous. While they have a critically important role in maintaining the physical security of our facilities – there is of course, a reasonable expectation for some level public safety and order existing outside our doors.  If this could not be guaranteed – it would be a significant Executive decision whether it was worth the investment to even open facilities, or expand investment in such a municipality.  No doubt – this would be made perfectly clear to the local authorities and politicians.

Yet, when it comes to cyber threats, we seem totally accepting of this very situation.  There seems to be little expectation for greater public action to assist us (even while we acknowledge the current outstanding work and efforts of law enforcement regarding cybercrime today).  It seems companies have resolved that the current level of threat is just the reality we must accept for our organizations to operate digitally.

While our cybersecurity professional associations and “big tech” may be pursuing some relevant policy positions to address these concerns – as CISO’s, I argue we are not leveraging our Executive roles within our organizations to make these major planks of political advocacy in our respective industries.

Of course carefully calibrating nuanced public action, so as to not impinge on privacy or stifle innovation, while we attempt to create reasonable guardrails and a predictable playing field, is no small challenge.  Considering the highly charged partisan political environment – the situation is all the worse.

Let’s also not forget that cybersecurity is highly technical, and the threats so distributed that it has become like background noise.  So yes, many factors are against creating a shared policy platform that would be effective in assisting the private sector.

However, if we don’t start trying to leverage our political capital, two clear dangers are already apparent:

• Cybersecurity seen as a “Big Tech” issue:  Big Tech can be painted as coastal and elitist pseudo-media companies.  It is easy to scapegoat or point out legitimate failings on their part – and then have their cybersecurity concerns lumped in with their other business interests.

• The action will be unidirectional regulations on us: It is very easy to say we have to do a better job protecting our systems and data – and we always have to because Momentum is the Enemy – but again, in nearly any other public safety or law enforcement situation, the burden would not so heavily weighted on the private sector.

So what are some positions I think we could all coalesce around, across industries and political views, that might actually help in the near and long term?

Well here are some quick ideas on the top of my list:

• No mandated encryption “back doors” ever:  As CISO’s in every industry we know, unintended vulnerabilities get exploited all the time, even when no intentional back door exists.  How on earth will we protect and maintain security when a built-in security holes are created.  Even in the rare sensational situation, the continuous “bad” of exploits against the back door will far outweigh any potential “good” that could have been achieved. (And really would criminals \ terrorists even keep using these channel if there were known back doors?  What are we talking about here?)

• Prioritizing and increasing funding for cyber law enforcement:  Making cybersecurity a larger public concern, and funding it accordingly would do a great deal.  I would like to see focused, but expanded extradition agreements for cybercrime be a priority in trade deals and other diplomatic efforts.  Of course, more local and federal law enforcement agents and capacity dedicated to cybercrime would be welcome.

• Funding for academic research in cybersecurity:  Academic institutions need to be supported so they can make the investments in research we all will require (in fields like quantum cryptography and artificial intelligence).  Even if the private sector is perusing many of these efforts – there is no doubt that public, non-proprietary solutions and research are important to really push advancement at scale.  All industries would benefit, and there would also likely be positive economic impact as well.

• Moving on from Social Security Numbers: Know what I would love?  Not having protect PII that can be used at other organizations, if ever compromised from mine (or vice versa).  Advocating for a modern approach to government identification that better protects citizens’ from identity theft should be prioritized.  Block chain, EMV -like or FIDO-like or solutions could be leveraged – and I would love a “single use” identifier that could validate and tie to a core identity – but which was scoped and limited to only our relationship when stored in our systems.

While none of these are “original” – they do require varying degrees of investment, funding and prioritization.

But imagine, if CEO’s from EVERY industry were talking about these points.  Imagine if their combined influence and advocacy was heard from every direction.  Imagine that politicians realized that there was broad consensus and material public good.

Then realize – as CISO’s we have the ability, influence and proximity to make this a reality.  Certainly a better day dream than what we started this with, no?