Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
CISO Sixth Sense: NIST CSF 2.0's Govern Function
2024 will redefine CISO leadership while acknowledging the management gap.
COMMENTARY
Cybersecurity leaders are constantly on the hunt for tools and strategies to navigate the complex landscape of digital threats. But despite consistently being held accountable for safeguarding digital assets, chief information security officers (CISOs) have long grappled with a glaring deficiency in their management arsenal: They lack the oversight of their entire operations that would allow them to grasp the big picture while being able to quickly zoom in on what’s critical.
The first version of the National Institute of Standards and Technology's Cybersecurity Framework was developed in 2014 in response to a presidential executive order (EO 13636, Improving Critical Infrastructure Cybersecurity) aimed at helping critical infrastructure organizations mitigate cybersecurity risk. The order directed NIST to work with industry and government stakeholders to create a voluntary framework based on existing standards, guidelines, and practices. The resulting Cybersecurity Framework 2.0 expands its existing five basic functions (Identify, Protect, Detect, Respond, and Recover) and describes the newly included function: Govern.
Integral to the CISO
The introduction of the Govern function signifies a crucial industry acknowledgment that effective management is an integral part of the CISO role. In practical terms, the Govern function bridges a critical gap in the CISO's toolkit, allowing for a more comprehensive approach to management. Previously, CISOs encountered challenges in addressing key questions and concerns that crossed their desks, leading to gaps in their ability to manage effectively. They had no way to answer how well they were enforcing policies, whether they were progressing, or whether their latest investment had a significant impact on overall performance.
For instance, what is the level of readiness against a specific threat? Today, checking on policy enforcement and the health of controls is too often driven by a rumor that a threat is trending. This is a reactive approach that is likely to bear results too late. A more proactive approach means that security leaders have continuous visibility into the performance of a range of controls and programs and can easily gain indications as soon as a policy has been breached. Currently, the process of gathering these data points from various product owners is so frustrating that most CISOs simply give up and live without it. But rest assured that the moment a threat knocks on their door, they will chase this data urgently. Even if it's too late.
The process of new product procurement is yet another example of where effective management has been limited. For example, once a CISO buys a new code protection tool, there is no easy way to confirm its enrollment, unless they ask the team to allocate time to submit a report. Performance is a group of various measurements: Does the tool properly scan? Does it cover all the relevant environments? Is the mean time to resolve (MTTR) sufficient? Are most of the events handled automatically or manually? Does the team face unresolved challenges?
Consider that code protection is only one tool out of a wide range of capabilities, and only within the world of vulnerabilities. Multiply this by dozens of tools and questions across multiple programs. A poor management process costs an organization dozens of months and hours of labor. It is not easily repeatable or scalable.
Empowering Executives With Transparency, Visibility
This lack of visibility into operational aspects means that CISOs essentially are managing in the dark, making informed decision-making and strategic planning difficult. They are left with many tools, many siloed data narratives, and all the pieces to puzzle together to tell a broader narrative.
The Govern function in NIST CSF 2.0 directly addresses these shortcomings, providing a framework for effective management. For Govern to empower CISOs in their management roles, it should embody several key attributes.
First, transparency must become paramount, allowing CISOs to gain insights into the implementation status of controls and assess the level of protection provided by their security measures as an overall story and trend, not tool by tool. For example, the CISO office would establish a policy that a user without multifactor authentication (MFA) who continuously fails phishing training will be blocked from corporate emails. To see if the policy is being enforced, the CISO would need continuous trending data points from two different tools, and these points would need to be correlated on an ongoing basis.
Second, this layer of wisdom needs to be driven by an automated metrics system, not based on spreadsheets. This system would transcend the diverse languages and measurements associated with different tools and programs, ensuring a holistic approach without getting lost in technical jargon.
Third, there's a need for a straightforward method to translate the intricate security stack into terms that are understandable by executive boards. This addresses the increasing need for CISOs to justify ongoing investments amid budget constraints.
Finally, real-time and continuous monitoring of performance is essential, enabling a perpetual view into policy enforcement trends and ensuring that CISOs are not just reactive but proactive in managing and enhancing their cybersecurity measures. Spreadsheets are static moments in time and not operational. CISOs need to take a big leap forward toward streamlined and automated management, just like Monday.com did for project managers.
In essence, the Govern function is a recognition that effective management is not just an expectation but a necessity for CISOs. With CSF 2.0, CISOs gain their sixth sense to govern, manage, and measure their cybersecurity operations with a new kind of knowledge and insight, and more adeptly, ushering in a new era of proactive and informed leadership.
About the Author
You May Also Like
DevSecOps/AWS
Oct 17, 2024Social Engineering: New Tricks, New Threats, New Defenses
Oct 23, 202410 Emerging Vulnerabilities Every Enterprise Should Know
Oct 30, 2024Simplify Data Security with Automation
Oct 31, 2024