Today, the US Cybersecurity and Infrastructure Security Agency (CISA) released its report on the Vulnerability Disclosure Policy program, indicating that it had received 1,330 “valid” vulnerabilities, of which more than 20% were “critical” or “severe.” This suggests that despite the upswing in cybersecurity efforts over the last few years, many entities remain seriously vulnerable. To CISA’s credit, the program has helped successfully address a broad majority of these threats. But serious issues remain, especially in the area of overall cyber governance, which offers deeper resilience to such vulnerabilities. Cities have no defined cybersecurity access policy. Organizations lack defined inventory and processes for their networked environment. Government entities fail to maintain cyber hygiene while communicating with large groups of constituents.
Cybersecurity standards and frameworks have become part of the lexicon for global technology and operations leadership since the first release of the NIST Cyber Security Framework (CSF) in 2014. Why do the same errors and oversights continue to lead to unfettered access, sweeping malware, and crippling cyber events?
As innovation-focused and tech-based societies, we have strived for technological solutions to replace outdated systems and curtail human error. These failings are the underpinning of enterprise risk, which is exploited by cyber threat actors. To counter this threat, senior leadership must support the development of cybersecurity strategies, plans, and operations to transform organizations and build resilience.
As the last decade has shown, the development of cybersecurity governance has been an ad hoc process with underwhelming support in organizations, categorized as just another item on the compliance checklist. However, failure to understand their own environments in a formal, proactive manner has led to limited cyber awareness for many organizations. This level of proactivity is considered minimal, which is classified as Tier 1. The subsequent Tier 2 has benchmarked much greater activity on parts of organizations, allowing organizational management to be responsive to events as they happen.
NIST and global regulators have identified that organizations with cybersecurity programs continuously at Tier 1 and Tier 2 levels remain vulnerable, lack the full capability to respond and recover, and create vulnerability in the cyber ecosystem. To push these organizations forward while also changing the paradigm from compliance to best practice, NIST will release the second iteration of the CSF, including governance as a sixth pillar. This is scheduled for publication in early 2024.
Through the recognition of the need for defined cybersecurity policies that support repeatable processes, improvements based on lessons learned, and analytics-driven insights, the newest pillar seeks to categorize organizational policy and defined processes as essential. Defined policies and processes enable organizations to identify, protect, detect, respond, and recover in an effective and efficient manner, propelling organizations upward to having Tier 3 cyber capability.
Allowing self-governance enables greater autonomy, shifting the conversation from a minimum standard for technology assessments to pushing organizations to be knowledgeable and quick to respond. But this is not enough. As the NIST CSF has become a baseline for several countries and regulatory bodies worldwide, the newest pillar will push organizations to continue focused improvements to meet a true cybersecurity baseline. Moreover, the development and consistency of written policies will drive a more comprehensive review, lowering tolerance of minimal cybersecurity practices employed by third- and fourth-party vendors.
The impact of the newest pillar will be assessed over the years to come, but imagine if our organizations baselined their cybersecurity efforts through good governance. Our ability to identify, protect, detect, respond, and recover from cyber events would not have led to the sweeping malware and ransomware events of the last five years that have crippled cities, corporations, and governments for days to months. Better cyber governance is something every organization and public sector entity should be doing to ensure the next five years are not a repeat of the last.