Since October is Cybersecurity Awareness Month, I thought it appropriate to comment on developments in the field and implications for workforce training and awareness.
With the seemingly endless array of cybersecurity products, tools and related “best practices” available that promise to protect an organization’s enterprise and its data, it is fascinating to see the continued spate of successful cyberattacks. Whether it be one-off attacks against large companies and government organizations, like the recent Equifax and SEC breaches, or large-scale campaigns based on a software vulnerability, such as the recent WannaCry and Petya ransomware attacks, it appears that the adversaries are winning – and winning at an increasing rate. How is it, in an era of ever more sophisticated cybersecurity tools, that it feels like we are backsliding?
For those of us who have in senior IT roles in large enterprises, it’s well-understood that there are three factors that, when combined, make it exceptionally difficult to secure an environment and prevent successful cyberattacks:
In almost all large organizations, you can find tremendous complexity in the IT environment: a combination of legacy (likely antiquated) systems that are still core to business operations, many modern applications that are likely built in a number of different languages and architectures, and a new set of applications that are running in a public cloud. In particular, SaaS-based applications are becoming the way organizations quickly and easily leverage new applications.
Not so long ago, IT security staff worked to protect the organization’s IT perimeter. With today’s new computing and service models, we have to admit that a traditional perimeter no longer exists – or, if a perimeter does exist, it might include protecting a number (perhaps up to dozens) of third-party cloud service and SaaS-application providers.
The second factor working against our ability to protect our environments and data are the adversaries themselves. Through new ways to share techniques and data, they are ever more sophisticated and persistent. Whether they’re nation-states or criminal organizations, there is tremendous gain potential for the adversaries, and the investment needed is relatively modest.
The third factor making cybersecurity defense so difficult is the lack of available talent. Again, estimates vary, but Cisco estimates that there are currently one million unfilled cybersecurity jobs worldwide. Most large organizations struggle to find, develop and retain such talent.
In large organizations, the sheer complexity of the IT ecosystem requires both proper management of that environment (e.g., rigorous software patching) and proper implementation and monitoring of tools to support the organization’s cybersecurity posture. Such tools include identity management and access control systems, firewalls, intrusion detection systems, etc. It is difficult to find and retain the talent necessary to implement and monitor such systems. No wonder so many organizations are struggling (more than they will admit publicly) to properly manage and secure their IT systems.
While I believe we are, as an industry, still losing ground to our adversaries, there are some positive developments. The awareness of cybersecurity risk among CEOs, board members and government leaders has increased significantly over the past few years, and many organizations recognize that cybersecurity breaches are the greatest business risk they face. Organizations are becoming more sophisticated in treating this challenge as an enterprise risk management problem and using tools to help them identify a rational way forward to address that risk. As daunting as the challenge can be, organizations are facing the fact that they must triage the problem and focus on the protections to minimize the risk that can do the organization the most harm.
To this end, I want to showcase two tools that are being adopted as de facto standards for supporting organizations in their cybersecurity enterprise risk management efforts.
The first tool is the NIST Cybersecurity Framework, which was developed as an action in an executive order issued by President Barack Obama to address cybersecurity risks to the critical infrastructure sector. The NIST framework outlines a rigorous seven-step process that results in an action plan to implement the investments that will have the greatest positive impact for an organization’s cybersecurity posture. NIST personnel did not develop the framework in a vacuum; it was crowdsourced with the support of more than 3,000 people from diverse parts of industry, academia and government.
It’s already proving valuable; according to Gartner, by 2020, more than 50 percent of U.S.-based organizations will use the NIST Cybersecurity Framework, up from 30 percent in 2015. Recently, President Donald Trump issued a cybersecurity executive order directing all agencies to adopt and use the framework to address their enterprise risk management posture.
The second tool that can support organizations in their cybersecurity risk management efforts (and work in concert with the NIST framework) is the Center for Internet Security’s (CIS) 20 critical control suite (CCS). These controls are recommended actions that provide specific and actionable ways to stop today’s most pervasive and dangerous cyberattacks.
For organizations of all sizes, I recommend that those charged to protect your IT systems and data become familiar with the NIST Cybersecurity Framework and the CIS 20 CCS. Training programs, certifications and even some master’s degree programs are beginning to emerge that build on the NIST Framework. However, we must remember that the NIST Cybersecurity Framework and CIS 20 CCS are tools, not solutions in and of themselves. They can provide an organization with the roadmap to conduct rigorous and regular cybersecurity enterprise risk management processes that will significantly lower its risk to catastrophic loss. The implementation of a robust cybersecurity enterprise risk management process, however, will always be dependent on an organization’s leaders’ sustained commitment to implementing and overseeing the process.