68 FORTUNE FEBRUARY/MARCH 2021
nology policy director with Cisco Systems. That’s why the
SolarWinds attack impacted public agencies and private
companies alike: Using the same software exposes them
to the same attacks.SolarWinds can boast of an achievement that
few of its rivals can match: Between 2010 and 2019, its
profit margins tripled. The company was able to keep wid-
ening those margins, in part, by outsourcing work on its
Orion product to less expensive software engineers in East-
ern Europe. What seemed like a savvy business move may
turn out to be the company’s undoing: As of this writing,
investigators were pursuing the possibility that hackers
compromised SolarWinds through its Eastern European
operations. But in outsourcing its engineering, SolarWinds
was reacting rationally to market forces (not to mention
following the lead of many of its software peers).
The underlying problem is that the U.S. has a severe
shortage of cybersecurity talent. A recent survey by the
labor analytics firm Emsi found that the U.S. has less
than half the qualified cyber professionals it needs, across
the public and private sectors—a gap that has resulted in
hundreds of thousands of unfilled jobs. That helps make
existing talent more expensive: The median cybersecurity
salary in 2019 was $99,730, according to the Bureau of
Labor Statistics, about 15% above the median salary for
software engineers. And that extra cost gives firms in the
industry another incentive to take production offshore.
In a sense, the problem starts in our universities, and
some reformers think the solutions should begin there
too. A 2016 review found that of the top 10 computer
science programs in the U.S., none required cybersecurity
coursework to graduate; three of those 10 didn’t have a
cybersecurity program at all. Some companies have been
stepping up efforts to train entry-level cyberdefenders.
Frank Cilluffo, a former adviser to the George W. Bush
administration on counterterrorism and cyber issues, rec-
ommends thinking even bigger: “We need the equivalent
of an educational moonshot around cyber issues, which
will require federal funding,” he says.
New cohorts of cybersecurity graduates won’t help
much, though, if they’re working within a dysfunctional
system. Restructuring that system is core to the work of the
Cyberspace Solarium Commission, a task force commis-
sioned by Congress to help reform U.S. cybersecurity. “Our
focus [is] on making the market more effective at driving
good behavior,” says commissioner Suzanne Spaulding, a
senior adviser for cybersecurity and counterterrorism at
the Center for Strategic and International Studies. “If the
market isn’t performing the way it should, why isn’t it?”
The commission spent the past year drawing up a wide-
ranging list of recommendations, and in January, 26 of
them became law as part of the 2021 National Defense
Authorization Act. The NDAA creates a White House–TOO OFTEN cost-
conscious companies nick
cybersecurity from their
budgets first.
Ian Thornton-Trump
says he experienced just
that agony firsthand when
the digital defense advice
he gave to SolarWinds—
whose widespread network
monitoring tool Orion
became ground zero for
the hackstravaganza—went
ignored a few years ago.
(A SolarWinds spokesper-
son said, “We believe our
investment in security has
consistently been appropri-
ate for a company of our
size” and that the com-
pany is now “fortifying and
implementing additional
security practices.“)
Thornton-Trump, now
chief information security
officer at cyber firm Cyjax,
believes companies should
keep up to snuff when it
comes to certain basics,
he tells Fortune. That could
include requiring busi-
nesses to perform regular
audits and penetration
testing, which gauge how
permeable a company’s
systems might be to a hack.
He looks to the cyber-
security standards set by
the New York Department
of Financial Services, which
came into full effect in 2019
and apply to financial firms
operating in the state, as a
solid precedent.
(Reaching for carrot
over stick, Thornton-Trump
suggests that the govern-
ment offer tax rebates to
companies that perform
third-party attestations
proving they’ve abided by
the rules.)Thornton-Trump also
proposes requiring com-
panies spend a certain
share of their revenue
on security controls. A
2019 study by Deloitte
and FS-ISAC, a security-
focused consortium for the
financial industry, found
that financial firms spend
on average 10% of their IT
budgets, or about 0.6% of
their revenue, on cyber-
security. That’s roughly
$2,150 per employee. While
there’s no one-size-fits-all
approach—and compliance
doesn’t equal security, any
worth-their-salt security
pro will tell you—the figure
is not a bad rule of thumb.
Similar standards-
setting is underway in the
government. The Depart-
ment of Defense asks its
suppliers to comply with
a “cyber maturity model
certification” that aims to
assure some basic level of
data safeguarding.
Solarium’s Montgomery
hopes the government
will establish a nonprofit
bureau of cyber statistics—
similar to Underwriters
Laboratories, which tests
and grades consumer
products. That hypothetical
organization could become
an essential source of data
for the nascent cyber insur-
ance industry, a key lever
for pushing the private
sector to adopt better
cybersecurity practices.
It could also eventually
rate software and software
components based on their
cybersafety—a grading
system that could nudge
sloppier tech companies to
step up their game.- SETTING
BETTERSTANDARDS