How to Leverage the Rosetta Stone of Information SharingA common framework will help in the development of cyber-risk management efforts.
"What threats are you seeing?"
"What tool did you buy?"
"Did you know an exploit for that vulnerability is in the wild?"
Do these questions sound familiar? If you're a cybersecurity practitioner, they likely do. Historically, many organizations conduct information sharing that sounds a lot like this.
Unfortunately, these conversations are limited in scope and confined to a specific security concern, which means they rarely expand across multiple teams to achieve true organizational collaboration. You'll usually see governance folks talking to other governance folks, or security operations teams reaching out to other security operations teams.
These siloed conversations hinder an enterprise-wide ability to see the big cybersecurity picture. The good news is that cyber practitioners no longer have to take part in the same old song and dance.
With the recent mandate for public sector organizations to use the National Institute of Standards of Technology (NIST) Cybersecurity Framework (CSF) combined with increased adoption expected of the private sector, we have reached a potential tipping point for information sharing. The entire cybersecurity community — across the public and private sectors — can work together in developing more effective cyber-risk management processes that benefit everyone involved.
Redefining Information Sharing across the Enterprise
In May, the much-anticipated Cyber Executive Order called for broader adoption of the NIST CSF, which was initially introduced in 2014 to help critical infrastructure organizations manage cyber-risk more effectively.
The adoption rate of the NIST CSF has been strong. Gartner estimates that about 30% of U.S. organizations embraced the CSF in the first two years it was available, and forecasts expect that number to hit 50% by 2020.
A recent survey of attendees at this year's Amazon Web Services (AWS) Public Sector Summit found widespread support for the NIST CSF, with 80% saying that it effectively helps organizations manage risk. One of the drivers for this support is the desire for a common set of cybersecurity standards across both the public and private sectors. A remarkable 96% of those surveyed said a common language would benefit their organization.
Why is there such strong support for the NIST CSF and common standards? Well, it essentially solves the usual problems surrounding enterprise-wide information sharing. Matt Barrett, program manager for the NIST CSF, in a recent Q&A with our CSO, Rick Tracy, said that the CSF's purpose is "a way of bridging the gap between cybersecurity professionals and people who are experts in other fields."
The CSF provides a way for everyone, at every level of an organization, to understand cybersecurity in terms that are widely accepted, changing the tune of the typical cybersecurity dialog. Internally, this means that IT professionals from the server room can have an effective, worthwhile conversation with executives in the boardroom.
In other words, it creates a universal language for cybersecurity. Similar to Rosetta Stone software making it easy to quickly learn a new language, the CSF provides a simple way for anyone to quickly pick up the intricacies of cybersecurity and a robust cyber-risk management plan.
The CSF becomes the common lexicon that adds sorely needed context, especially when discussing gaps in security defenses and residual risks. In some cases, conversations are not enough if you don't understand the place your colleagues are coming from. As enterprises aim to improve their cyber-risk management processes, information sharing will take on new depth and meaning, empowered by a common language that is understandable both vertically within organizations as well as horizontally among other companies.
Automation Encourages Enterprise-Wide Collaboration
Despite the fact that the CSF has received significant support in the public sector, too many organizations in both the public and private sectors still see it as "just another framework" because they've seen many previous attempts at developing a common cybersecurity language fall to the wayside.
This is due in part to headaches associated with compliance. That same survey asked participants to name their biggest compliance challenge and two rose above the rest — 46% percent said it takes too much time and 45% said it is too complex. These responses were not surprising, unfortunately. Time and complexity are the compliance woes that have plagued cybersecurity leaders for years, and have inhibited any sustained efforts to modernize, innovate, and develop a much-need common cybersecurity language.
Thanks to technology improvements, the answer to overcoming those compliance hurdles has arrived in the form of automation. Organizations are now able to automate compliance standards such as the NIST CSF, which leads to dramatic savings in cost and time. By doing so, there can be an added focus on empowering employees to spend their time on more critical tasks, like responding to threats and risks. Similarly, automation frees up resources that can instead be devoted to innovation, research, and training.
Truly forward-leaning organizations with a focus on security that want to alleviate the burdens of complex compliance activities can implement automated processes that can reduce the time and effort needed by half.
Despite the challenges associated with compliance, automation presents an opportunity to streamline the compliance process. It's time that organizations become empowered to better utilize technologies that vastly improve cyber-risk management and allow for the necessary collaboration that will drive the future of cybersecurity.
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.
Stephen Horvath is Vice President of Strategy and Vision at Telos Corporation, a leading provider of continuous security solutions and services for the world's most security-conscious agencies and organizations. Within this role, he is responsible for leading the development ... View Full Bio