During NCS Madison’s CIO & CISO Strategy Meeting in Boston, MA on April 23, 2019, my discussion group concluded that evolving cyber threats and regulations are triggering enhanced capabilities in enterprises and initial capability in start-ups and small businesses.
DISCUSSION SUMMARY
Digital Transformation has driven rapid change in how organizations develop, deliver, and manage their businesses. Technology has become the enabler for business value and the new target for crime. As a result, cybersecurity is now an agenda item in the boardrooms of organizations big and small.
At NCS Madison’s 2019 CIO & CISO Strategy Event in Boston, MA, fifteen cybersecurity leaders shared their strategy for cybersecurity and explored trends. The organizations represented a mix of small and large scale enterprises, operating in healthcare, banking, pharma, retail, manufacturing, and the public sector. The discussion included:
- Aligning the Cybersecurity Plan;
- Obtaining Actionable Intelligence;
- Developing Cybersecurity Practices;
- Cybersecurity Plan Validation and Reporting.
Despite the diversity of the participants, all agreed to these takeaways:
- Established enterprises are increasingly adding secondary security frameworks to refine cybersecurity capabilities. Most enterprises are adding the CIS Critical Security Controls.
- Small and emerging organizations are rapidly adopting the NIST Cybersecurity Framework (CSF) to drive cybersecurity planning.
- Emerging privacy regulations are clouding established frameworks for asset classification and control. Uniform cybersecurity planning to these mandates is problematic at best.
- New organizational approaches are evolving to insure stakeholder involvement when setting front office vs. back office priorities. Departmental alignment is no longer sufficient.
- The search for actionable intelligence continues. No common approach or methods surfaced in the discussion.
- Culture remains one of the biggest obstacles in cybersecurity capability, especially in the public sector.
- All are doing some form of ethical hacking to validate cybersecurity capabilities.
DISCUSSION COMMENTARY
The starting point for Cybersecurity planning is to identify the control objectives most appropriate for the inherent risks of the organization. Inherent risk is associated to what products and services the organization offers, the technology being used, and how the systems and third-parties are connected.
Stakeholders are a key component to the success of the Cybersecurity plan. As businesses undergo digital transformation, key managers from the front office are now coming into play. One participant offered a three domain approach for identifying stakeholders: 1) Operational technology (IT, automation and planning), 2) Cross technology (Security systems and design), 3) Commercialized technology (outward facing products and services). All concurred that digital marketing is more important than ever. Supporting this effort is also big data and business intelligence.
Tenable’s Trends in Security Framework Adoption Survey found that 84% of organizations align to at least one security framework, while 44% use more than one. Almost all of our group used at least one while the majority of the group used two. The survey also ranked the security frameworks being used, with PCI DSS (47%), ISO 27xxx (35%), CIS Critical Security Controls (32%), and NIST Framework for Improving Critical Infrastructure Security (29%). The majority of our group used the NIST Framework.
Rapid changes in laws and regulations are challenging cybersecurity planning. The group discussed Risk & Insurance’s Top 5 Privacy and Cyber Regulations and Why They Should Concern Risk Managers. Most have been focusing on GDPR and believe is a lot of work but doable. The California Consumer Privacy Act (CCPA) is problematic due to non-standard definitions of personal information. Much like GDPR, New York’s Cybersecurity Regulation (23 NYCRR Part 500) is a lot of work but manageable.
Much of Cybersecurity capability hinges on the ability to obtain actionable intelligence. No uniform approach was offered by the group. Many are collecting vulnerability data in real time, analyzing it, and prioritizing next steps. Some position this as a subcomponent to a broader data analytics strategy. Others look at the behavior of users to the system and investigate anomalies. A few is the group use deceptive technologies to lure their advisories in and foil their reconnaissance efforts.
The team discussed Ponemon Institute’s report Separating the Truths from the Myths in Cybersecurity with 84% of respondents concerned that their cybersecurity practices were not keeping pace, 30% stating that a product cybersecurity program had yet to be established, and 63% reporting that less than half of their IT assets are being tested for vulnerabilities. One attendee working in the state government and supporting the gaming technology stated her concern about culture. The biggest struggle is changing that human concept of what risk and security means. The context of the digital transformation is foreign to them. Many in the group agreed that culture needs to move higher in the top 10 list. Someone offered phishing campaigns to spread awareness and continuous education. Another started to imbed the business into IT governance model so it becomes part of the culture.
References: