Modern aircraft are highly sophisticated machines that undergo rigorous testing and certifications. Yet, no matter how many advanced systems are on board or how thoroughly an aircraft is checked, secure flying still depends on pilots and the processes that support them. In other words, there is still a clear line between the platform we ride into the air and the entity that operates that platform. And when warning lights appear during unexpected in-flight events (the weather, mechanical, security or any other cause) – it’s not the plane’s certifications that count, it’s the pilot’s situational awareness and response. It’s the same in cybersecurity. For the past decade, we’ve been legitimately focused on building out our infrastructure – devices, servers, software, platforms, playbooks, tools, processes, incident response procedures and certifications. We’ve been concentrating on building and equipping our ‘planes’ to be secure.
Yet, while these efforts should continue, today, the industry has matured. We’re at the point where building infrastructure alone is not sufficient. We need to see how all those moving parts can work better together. There’s a shift in thought from “What controls do I have?” to “How well are my controls doing?” This shift is readily evident in the just-released NIST 2.0 framework.
As of this writing, it’s been a decade since NIST introduced its cybersecurity framework (CSF) 1.0. The CSF was created following a 2013 executive order that tasked NIST with designing a voluntary cybersecurity framework for managing cyber risk that offers guidance based on established standards and best practices.
While the top cybersecurity challenges we faced in 2014 are hauntingly familiar (in theme if not in technology) to those we face today – a lot has changed since then, and the new CSF has been adapted to meet this new reality.
CSF 2.0 has added “govern” as one of its six core cybersecurity functions (in addition to identify, protect, detect, respond and recover). These ‘functions’ are actually NIST-speak for desired cybersecurity outcomes – meaning that cybersecurity governance is now considered a foundational part of overall enterprise cyber risk management.
Bringing governance to the forefront is great news for cybersecurity and organizations. Yet it’s less great news for those brave souls expected to fly the cybersecurity plane: The CISOs. The reason? Flooded with data from the disparate tools that compromise today’s security stack, they lack a unified view of performance. This makes it difficult to identify critical gaps, measure progress and optimize resources.
Despite the dire need for effective cyber governance that CSF 2.0 highlights – CISOs are still flying blind.
To deliver the promise of cyber governance, CISOs need better access to aggregated, accurate and up-to-date information about the performance of their infrastructure. For example, if a CISO just hired a new team to handle EPP or code protection and defined next quarter’s goals, she needs to know in real-time if the tool was deployed and whether scanning was done according to the agreed cycles. She needs to track the team’s learning curve. Are they meeting critical vulnerabilities in MTTR, or do they need further training? She needs to understand on the fly if there is a correlation between employees who have not yet onboarded new tools and vulnerabilities that affect security posture. She needs to know how completing security awareness training impacts security across the organization today so she can address not only immediate concerns but also future risks.
In other words, it’s time for CISOs to adopt the data-driven tools (that their peers in other departments have long enjoyed) that enable true governance.
Last month’s AnyDesk incident, where a vulnerability in remote desktop software exposed millions of users to potential compromise, is just one recent example of the crucial need for better cybersecurity governance practices and tools.
There are thousands of such incidents every quarter. In this particular incident, there was an immediate scramble by organizations using the software to determine which assets had the AnyDesk client installed and which AnyDesk client version was running on which asset. Had they patched all AnyDesk clients? Were there highly privileged users who’d been compromised? Gathering the answers to these basic questions around where the tools have been deployed, what version, for which kind of users and how well they are working takes too much time to make meaningful decisions in moments of need.
This is where governance comes into play. Waiting for a crisis to unfold before gaining visibility into crucial controls leads to far longer response times and far greater risk. This reactive approach leaves organizations more vulnerable, constantly trying to catch up to emerging threats instead of proactively managing them.
Effective ongoing cybersecurity governance manages risk in incidents like AnyDesk. When CISOs can access real-time data, they can continuously measure and optimize their performance against emerging or ongoing incidents. They can grasp the bigger picture to better prioritize and not get lost in the stress of collecting input.
Just like pilot awareness is crucial during unexpected aviation events, cybersecurity’s traditional focus on infrastructure needs to shift to more adept governance. The industry’s historical focus on building and equipping cybersecurity “planes” – platforms, tools and processes – needs to evolve.
The introduction of NIST 2.0 and its inclusion of “govern” as a core function represents a paradigm shift. The next decade’s cybersecurity will emphasize not just possessing controls but also evaluating their performance, not measuring in silos but managing based on the continuous grasp of the bigger picture. It’s time for CISOs to embrace advanced data-driven cyber governance tools for a safer cyber journey.
Image source: Domagoj Ćosić (Unsplash license) https://unsplash.com/photos/nv5uZB7ReyY