By Jessica S. Diaz – Chief Operating Officer at ClearArmor Corporation
Serious data breaches happen almost daily, despite the billions spent on safeguarding. These breaches continue to occur even in organisations at the pinnacle of cybersecurity technology, such as the CIA and NSA in the US. In response, organisational leadership and their boards are held responsible and accountable.
Executive management and the board are having trouble taking control of cyber governance as they view cybersecurity as a technical problem solved by technology and tools alone, while they focus on business operations and have little insight into the technology that powers their organisation. In contrast, security teams are focussed on highly-technical information and tasks and do not have insight into business practices.
Failed cybersecurity programmes lead to loss of intellectual property, decreased shareholder value, injured reputation, reduced revenue and, ultimately, legal action. Stringent regulations and legislature has passed, holding organisations and their leadership accountable for data breaches due to lack of implementing structured cybersecurity programmes.
2017 saw its fair share of major breaches, from Yahoo to Equifax and the situation is projected to get worse. Forecasts predict that cybercrime will increase significantly over the next few years and cybercrime will cost global businesses more than $2trillion by 2019, increasing to almost four times the estimated cost of breaches in 2015. Another report predicts cybercrime to incur costs upward of $3trillion by 2025.
Due to ever-increasing cybersecurity threats, the US Government implemented a cybersecurity initiative through a presidential executive order on 11 May 2017. All US agencies must align their cybersecurity efforts with the National Standards and Technology Institute’s CyberSecurity Framework (NIST Framework) to manage cybersecurity risk. Organisations conducting business a with the US government will be expected to implement the same framework.
The EU General Data Protection Regulation (GDPR) changes become enforceable on 25 May 2018. The biggest change is a jurisdiction change. Previously, the territorial applicability of the order was ambiguous. The current directive clarifies the ambiguity and states that GDPR now applies ‘to all companies processing the personal data of data subjects residing in the [European] Union, regardless of the company’s location’. From this date, those who fall within these constraints, must comply with the updated regulation. In addition, notification of a data breach must be disseminated within 72 hours of first becoming aware of the breach. Organisations that fail to comply with the new regulation can incur fines up to four per cent of their annual revenue. That is a significant amount of an organisation’s bottom line.
The UK’s new Data Protection Bill, currently under amendment, will replace the UK Data Protection Act of 1998. The new bill is legislatively similar to GDPR and will also incorporate the Police and Criminal Justice Directive – further tightening controls on personal data.
Why cybersecurity tools alone do not work
Historically, leaving cybersecurity solely in the hands of the technology department, implemented from a ‘bottom-up’ approach, has been the norm. Millions are spent on specific tools to address specific problems – termed ‘whack-a-mole’ security by cybersecurity practitioners. Over the years, more tools are added and eventually fall out of favour, then new tools take their place. Some tools do not integrate with other tools and will need certain functionality turned off. Often, they are purchased out of fear and uncertainty.
Technology and tools alone are no longer sufficient countermeasures against organisational risk. They do no not define business/agency criticalities. Bad-actors have become too advanced and network footprints have become too vast due to ever-changing networks and the Internet of Things (IoT). True cybersecurity programmes must be based on some sort of standards with the organisation or agency in mind. A nuclear power plant will have different critical risks than a financial institution. This calls for a ‘top-down’ approach. Cybersecurity starts with leadership and the board, and flows down to the technology level of a company. Additionally, they must follow a process, include a logical path from its current state to its desired state, take into account each organisation’s defined business risk and have a continuance plan so that it can be sustainable over time.
Why a standards-based approach?
A standards-based approach to cybersecurity enables organisations to benefit from the knowledge and experience of a wide range of industry best practices to create their cybersecurity programme and assess their cyber readiness. Adopting a standards-based approach – the NIST Framework and the European Network and Security Agency’s (ENISA) Directive on Security of Network and Information Systems (NIS Directive) and the ISO/IEC 27000 family of standards – will transform your organisation’s cybersecurity programme.
Industry standards are published documents based on accepted best practices. These best practices create methods and requirements, which increase the reliability of product or service. It sets an accepted threshold against which multiple organisations can be measured. Industry standards create a low-cost effective way for organisations to access and utilise the knowledge gained over time by industry experts. When industry standards are properly applied to cybersecurity, they allow organisations to create a robust and sustainable cybersecurity programme.
“A standards-based approach to cybersecurity enables organisations to benefit from the knowledge and experience of a wide range of industry best practices to create their cybersecurity programme and assess their cyber readiness”
When implemented correctly, industry standards have several other advantages. Cybersecurity industry standards allow an organisation or agency to assess their current state of cybersecurity readiness, define their desired state, perform a gap analysis against the two and create a plan to address the gaps. Adopting industry standards allows organisations to move to a more premeditated and structured cybersecurity programme, which protects an organisation’s critical assets and significantly reduces risk.
Adopt the gold standard
The NIST Framework focusses on using business drivers to guide cybersecurity activities and takes into consideration cyber risks as part of the organisation’s risk management processes. It was crafted to be applied by any organisation of any size, regardless of industry and it has become the accepted gold standard.
The NIST Framework suggests that a cybersecurity programme is organisation-specific, custom-designed and then implemented, as opposed to throwing the latest technology on top of the pile of existing tools. Through 106 specific controls, the framework addresses the business, its functions and its goals. It is a controlled application of procedures and technology, which results in a thorough and continuous cybersecurity programme that is sustainable, measurable and manageable.
According to NIST: “Similar to financial and reputational risk, cybersecurity risk affects a company’s bottom line. It can drive up costs and affect revenue. It can harm an organisation’s ability to innovate and to gain and maintain customers.”
NIST allows organisations to create a cybersecurity plan tailored to their individual needs, including regulatory and legal requirements, such as GDPR and ISO. Gartner, the world’s leading research and advisory company, predicts that by 2020 more than 50 per cent of organisations will implement the NIST Framework. The widespread adoption of NIST Framework makes it the gold standard for creating robust cybersecurity.
Why a top-down approach?
Cybersecurity industry standards dictate that in order to implement a structured cybersecurity programme, cybersecurity policy must start at the top of the organisation and should propagate down. Cybersecurity is a high priority for most organisations, but many organisations seek to address it by applying additional layers of technology. Cybersecurity should be a top-down approach from the executive level, down throughout
the entire organisation, as it provides leadership with continuous oversight. More often than not, cybersecurity is not included at the executive level of an organisation’s strategy or policy, such as fiscal policy.
A cyber breach can damage an institution’s reputation, have an adverse effect on its stock or value, significantly impact its bottom line and create major consequences that could have been avoided through the proper implementation of effective cybersecurity policies. A cybersecurity risk management strategy, with relevant business information and defined cybersecurity business risk, is as important as sound fiscal and other business risk management strategies. Fiscal and business risk strategies are set by the board and CEO and imposed throughout the organisation, including the expectation that the organisation will adhere to industry standards and best practices, such as financial reporting standards. To protect the organisation’s valuable assets, every team player must be involved. The strategy, objectives and mission should be disseminated and processes implemented to weave it into corporate culture.
“A cyber breach can damage an institution’s reputation, have an adverse effect on its stock or value, significantly impact its bottom line and create major consequences that could have been avoided through the proper implementation of effective cybersecurity policies”
Most importantly, cultivating a cybersecurity-focussed culture from the top-down, within the organisation, will allow for employee security participation. A security-focussed corporate culture is an often overlooked but core component of cyber governance and security.
Where does an organisation start?
Implement a methodology to define business drivers Organisations must follow a process that begins with a definition of how leadership views the organisation; followed by identification of risks and vulnerabilities; and concludes with a designed and organisation-specific cybersecurity programme. Business-critical areas are identified during this process, which allows the organisation to direct resources and activities for effective cyber governance.
Decide what technology and tools are needed Once business drivers are defined, an organisation must determine what technology and tools are needed to implement a standards-based cybersecurity programme. Some of the technologies and tools available allow for:
- Real-time discovery of network components
- Software and hardware management
- Password management
- Cybersecurity training management
- Patch management and validation
- Software whitelisting/blacklisting
- Hardware whitelisting/blacklisting
- Secure software deployment
- Vulnerability and configuration testing
- Application mapping
- Port flow analysis
- Real-time hash management
- Automated configuration management
- Active directory management
Baseline the network and monitor it in real-time Much like defending any territory, an organisation must have a map of their network landscape. The network ‘map’ must be updated constantly to understand its cybersecurity landscape and change patterns to better prevent attacks. Baselining the network allows organisations to map what traffic is on the network. Traffic patterns then emerge and through those patterns exploits can be flagged if unusual activity is monitored.
Additionally, network health can also be monitored. Much like we monitor our vitals at the doctor – blood pressure, heart rate, temperature – which all indicate a person’s state of health, we can monitor the health of the network – hardware, software, changes in traffic, patching, software updates, unauthorised access, etc.
Reduce human error through automation According to the Association of Corporate Counsel Foundation’s State of Cybersecurity Report, 45 per cent of recent data breaches were the result of human-related errors. Human factors must be considered and included within a cybersecurity process. Automation of cybersecurity functions and management can help alleviate human error. Automation of functions, such as patching and software distribution, allows company assets to receive the latest software updates and minimises risk of a breach due to known vulnerabilities.
Reporting and dashboards Most important, an organisation should be able to report on its current cybersecurity health. This is not only for leadership’s oversight, but also for cybersecurity risk management reporting. Implementing a complete standards-based cybersecurity programme with reporting will also provide an organisation a defensible position should a breach occur.
Dashboards are a daily tool necessary for all levels of the organisation. Dashboards change corporate culture and make cybersecurity a priority. High-level dashboards on overall cyber health are mostly needed at the top of the organisation, whereas detailed dashboards that drill down into log files and the like are preferred by technology practitioners. Ideally, dashboards should be customised for the organisation based on business needs.
Cybersecurity is not one-and-done
A cybersecurity plan, programme, system – no matter what it is called – is not one-and-done. It must be sustainable and evolve with organisational needs over time. It is iterative and must be rolled out to adapt to change, otherwise it will fail.
About the Author:
Jessica S. Diaz is Chief Operating Officer at ClearArmor Corporation. ClearArmor is a partner of NIST’s National Cybersecurity Center of Excellence(NCCoE). Jessica’s business management experience spans over 19 years, where she has mainly focused on security. Before joining ClearArmor, she dedicated her time to large emerging technology programs.