Evolving cyber governance in the US

Evolving cyber governance in the US

Today, the US Cybersecurity and Infrastructure Security Agency (CISA) released its report on the Vulnerability Disclosure Policy program, indicating that it had received 1,330 “valid” vulnerabilities, of which more than 20% were “critical” or “severe.” This suggests that despite the upswing in cybersecurity efforts over the last few years, many entities remain seriously vulnerable. To CISA’s credit, the program has helped successfully address a broad majority of these threats. But serious issues remain, especially in the area of overall cyber governance, which offers deeper resilience to such vulnerabilities. Cities have no defined cybersecurity access policy. Organizations lack defined inventory and processes for their networked environment. Government entities fail to maintain cyber hygiene while communicating with large groups of constituents.

Cybersecurity standards and frameworks have become part of the lexicon for global technology and operations leadership since the first release of the NIST Cyber Security Framework (CSF) in 2014. Why do the same errors and oversights continue to lead to unfettered access, sweeping malware, and crippling cyber events?

As innovation-focused and tech-based societies, we have strived for technological solutions to replace outdated systems and curtail human error. These failings are the underpinning of enterprise risk, which is exploited by cyber threat actors. To counter this threat, senior leadership must support the development of cybersecurity strategies, plans, and operations to transform organizations and build resilience.

As the last decade has shown, the development of cybersecurity governance has been an ad hoc process with underwhelming support in organizations, categorized as just another item on the compliance checklist. However, failure to understand their own environments in a formal, proactive manner has led to limited cyber awareness for many organizations. This level of proactivity is considered minimal, which is classified as Tier 1. The subsequent Tier 2 has benchmarked much greater activity on parts of organizations, allowing organizational management to be responsive to events as they happen.

NIST and global regulators have identified that organizations with cybersecurity programs continuously at Tier 1 and Tier 2 levels remain vulnerable, lack the full capability to respond and recover, and create vulnerability in the cyber ecosystem. To push these organizations forward while also changing the paradigm from compliance to best practice, NIST will release the second iteration of the CSF, including governance as a sixth pillar. This is scheduled for publication in early 2024.

Through the recognition of the need for defined cybersecurity policies that support repeatable processes, improvements based on lessons learned, and analytics-driven insights, the newest pillar seeks to categorize organizational policy and defined processes as essential. Defined policies and processes enable organizations to identify, protect, detect, respond, and recover in an effective and efficient manner, propelling organizations upward to having Tier 3 cyber capability.

Allowing self-governance enables greater autonomy, shifting the conversation from a minimum standard for technology assessments to pushing organizations to be knowledgeable and quick to respond. But this is not enough. As the NIST CSF has become a baseline for several countries and regulatory bodies worldwide, the newest pillar will push organizations to continue focused improvements to meet a true cybersecurity baseline. Moreover, the development and consistency of written policies will drive a more comprehensive review, lowering tolerance of minimal cybersecurity practices employed by third- and fourth-party vendors.

The impact of the newest pillar will be assessed over the years to come, but imagine if our organizations baselined their cybersecurity efforts through good governance. Our ability to identify, protect, detect, respond, and recover from cyber events would not have led to the sweeping malware and ransomware events of the last five years that have crippled cities, corporations, and governments for days to months. Better cyber governance is something every organization and public sector entity should be doing to ensure the next five years are not a repeat of the last.

Related Articles

The Role of Earth Observation in Combating Desertification in Middle Eastern Countries

The Role of Earth Observation in Combating Desertification in Middle Eastern Countries

This month’s UNCCD COP16 in Riyadh marked a pivotal moment in combating global land degradation and drought, with outcomes including...

13 Dec 2024 Opinion
Access Alert: Enhancing Efficiency in India’s Logistics Through AI and Digital Integration

Access Alert: Enhancing Efficiency in India’s Logistics Through AI and Digital Integration

A recent panel discussion at the Bengaluru Tech Summit 2024 on 20 November 2024 focused on the transformative role of...

29 Nov 2024 Opinion
Access Alert: How Will Deepfake Regulations in APAC Impact Your Business?

Access Alert: How Will Deepfake Regulations in APAC Impact Your Business?

The rise of deepfakes – AI-generated content that manipulates audio, video, or images to create realistic but false representations –...

29 Nov 2024 Opinion
Access Alert: UK Government Announces £3.5M Funding Opportunity for Satellite Connectivity Projects

Access Alert: UK Government Announces £3.5M Funding Opportunity for Satellite Connectivity Projects

Introduction The UK Space Agency (UKSA) has launched a funding call of up to £3.5 million aimed at advancing satellite...

28 Nov 2024 Opinion