Forbes.com interviews leaders on "10 Ways to Fix Cybersecurity". It's useless -- in fact (as I'll demonstrate below) worse than useless.
The problem is that these leaders aren't experts, they are fluff; their technical competence extends only as far as knowing who to call in IT to turn on their computer (at least, as far as the executives go). You wouldn't ask them how to fix cybersecurity anymore than you'd ask basketball fans, or even owners, how to fix the team. Instead, you ask the experts, like coaches. Steve Ballmer was the CEO of Microsoft for the last decade, but you wouldn't ask him how to fix cybersecurity any more than you'd ask him to coach the LA Clippers.
The corporate executives in this list do as media training taught them: bridge whatever question is asked to the answer you want to give.
Microsoft's big emphasis right now is on the "cloud". For $99 a year, you get a license of Microsoft Office (Word, Excel, PowerPoint, Access) for 5 members of your family, plus access to the cloud version of Office, plus 5 terabytes of cloud storage (that's right, I said terabytes). Things like their Surface tablet are designed specifically as an extension to the cloud rather than a stand alone device.
Thus, when asking Scott Charney, Microsoft's VP, on how to fix cybersecurity, his answer starts with "In the world of cloud services and big data, ...". At this point in the discussion,. he hasn't even finished listening to the question before he starts in with this answer. It's the same answer he gives to everything, including "would you like fries with that" or "how's my hair look?".
Likewise, the senior VP of Cisco starts his answer "Each connection in the Internet of Things...". I'll give you one guess what Cisco is pimping right now. If you guessed "Internet of Things" (IoT), then you'd be right.
I don't even know what The Chertoff Group really does, other than sell access to the government. But CEO's answer starts with "Corporate America rarely grows 100% organically anymore. M&A is almost always involved." What? They sell cybersecurity for mergers and acquisitions? That sounds odd. Well, that's indeed what they do, front and center on their webpage.
Google has it's fingers in lots of pies, of course. One of their big things is competing against Microsoft with cloud-based office applications. An enormous number of organizations tired of managing Exchange have moved to GMail as their cloud-based email solution. Thus, the answer to the question from Google is "we should have users work with a single interface, like a browser, through which they can do multiple things". In other words, stop using Microsoft Office installed on your Surface table, just use Google cloud-only solution instead, using Chrome.
The Forbes post asked this question of non-corporate people as well, such as the Chair of the Federal Trade Commission. Her answer was, of course, focused on laws/regulation: "Online security for children’s information is of particular concern. The Children’s Online Privacy Protection Act gives parents the right to control the collection of personal information from their kids." She is, of course, defending COPA, a draconian law that was mostly struck down by the Supreme Court for infringing on civil rights, because children.
One of the sillier answers was from Daniel Suarez, the author of cyberpunk thrillers. His answer is "What we need is an Apollo-like national project to build a new, secure network for critical infrastructure that would use a separate protocol, proprietary hardware, dedicated fiber-optic lines and powerful encryption to eliminate all but the most elite interlopers." Of course, it's in the nature of scifi authors to think big, but the point I want to make is his use of the phrase "powerful encryption". There is no such thing. There's only two types of encryption, that which works and that which doesn't. When encryption doesn't work, your neighbor's pre-teen can break it, such as when she breaks into your WEP WiFi home router. When encryption works, not even the NSA can break it with their billions of dollars invested in supercomputers, which means Edward Snowden is safe sending email with PGP encryption. Phrases like "military grade encryption" or "powerful encryption" are just tropes you see in fiction, they don't exist in the real world. I point this out to communicate the degree of fluff in Suarez's answer.
The final example is that of Christopher Soghoian of the ACLU. You'd expect him to stand up for civil rights but he doesn't. He's less a defender of civil rights and more a garden variety left-winger, so his solution to cybersecurity is to regulate evil corporations and defend the poor consumer with a "powerful privacy and data-security regulator that can set data security rules for companies and enforce them". We are headed rapidly toward a cyber-police-state, with the right-wing exploiting fear of cyberterrorists to pass laws, and the left-wing exploiting trumped up fears of evil corporations to likewise pass even more laws restricting freedom.
The point I'm trying to show is that none of these were honest answers to Kashmir's question. All were answers designed to exploit the question in order to further their agendas.
And that's the problem with with cybersecurity. The solution is stop asking these sorts of people, and start listening to technical people.
One example is this post from Meredith Patterson, a techie, where she answers essentially the same question. Her answer is "Follow the OWASP best practices and focus on your responsibility to your customers". That's a vastly better answer than any of the above 10 answers.
But nobody is going to listen, because for one things it's technical, and for another thing, Meredith isn't a VP or Chairwoman or a sci-fi author or a member of the ACLU. Instead, she's just a run of the mill techie who knows stuff.
If the journalists want to do anything other than help public figures further their agendas, then instead of quoting those fluffs, they should be talking to techies like Meredith.
(...with apologies to Kashmir Hill, she does great stuff .. it's just this particular post was appalling).
Update: Chris Soghoian has solid technical chops. I can personally attest to some of them, he's also worked in computer science, so probably has even more than I've seen. I don't mean to imply that, unlike the executives I trash, that's he's lacking in skill. I only mean to imply he's left-wing, and that his answer serves his political agenda.
Also, Brian Krebs, while a journalist, has direct first hand experience worth listening to in the realm of cybersecurity.