Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:30 AM
Stephen Horvath
Stephen Horvath
Connect Directly
E-Mail vvv

How to Leverage the Rosetta Stone of Information Sharing

A common framework will help in the development of cyber-risk management efforts.

"What threats are you seeing?"

"What tool did you buy?"

"Did you know an exploit for that vulnerability is in the wild?" 

Do these questions sound familiar? If you're a cybersecurity practitioner, they likely do. Historically, many organizations conduct information sharing that sounds a lot like this.

Unfortunately, these conversations are limited in scope and confined to a specific security concern, which means they rarely expand across multiple teams to achieve true organizational collaboration. You'll usually see governance folks talking to other governance folks, or security operations teams reaching out to other security operations teams.

These siloed conversations hinder an enterprise-wide ability to see the big cybersecurity picture. The good news is that cyber practitioners no longer have to take part in the same old song and dance.

With the recent mandate for public sector organizations to use the National Institute of Standards of Technology (NIST) Cybersecurity Framework (CSF) combined with increased adoption expected of the private sector, we have reached a potential tipping point for information sharing. The entire cybersecurity community — across the public and private sectors — can work together in developing more effective cyber-risk management processes that benefit everyone involved.

Redefining Information Sharing across the Enterprise
In May, the much-anticipated Cyber Executive Order called for broader adoption of the NIST CSF, which was initially introduced in 2014 to help critical infrastructure organizations manage cyber-risk more effectively.

The adoption rate of the NIST CSF has been strong. Gartner estimates that about 30% of U.S. organizations embraced the CSF in the first two years it was available, and forecasts expect that number to hit 50% by 2020.

A recent survey of attendees at this year's Amazon Web Services (AWS) Public Sector Summit found widespread support for the NIST CSF, with 80% saying that it effectively helps organizations manage risk. One of the drivers for this support is the desire for a common set of cybersecurity standards across both the public and private sectors. A remarkable 96% of those surveyed said a common language would benefit their organization.

Why is there such strong support for the NIST CSF and common standards? Well, it essentially solves the usual problems surrounding enterprise-wide information sharing. Matt Barrett, program manager for the NIST CSF, in a recent Q&A with our CSO, Rick Tracy, said that the CSF's purpose is "a way of bridging the gap between cybersecurity professionals and people who are experts in other fields."

The CSF provides a way for everyone, at every level of an organization, to understand cybersecurity in terms that are widely accepted, changing the tune of the typical cybersecurity dialog. Internally, this means that IT professionals from the server room can have an effective, worthwhile conversation with executives in the boardroom. 

In other words, it creates a universal language for cybersecurity. Similar to Rosetta Stone software making it easy to quickly learn a new language, the CSF provides a simple way for anyone to quickly pick up the intricacies of cybersecurity and a robust cyber-risk management plan. 

The CSF becomes the common lexicon that adds sorely needed context, especially when discussing gaps in security defenses and residual risks. In some cases, conversations are not enough if you don't understand the place your colleagues are coming from. As enterprises aim to improve their cyber-risk management processes, information sharing will take on new depth and meaning, empowered by a common language that is understandable both vertically within organizations as well as horizontally among other companies.

Automation Encourages Enterprise-Wide Collaboration
Despite the fact that the CSF has received significant support in the public sector, too many organizations in both the public and private sectors still see it as "just another framework" because they've seen many previous attempts at developing a common cybersecurity language fall to the wayside.

This is due in part to headaches associated with compliance. That same survey asked participants to name their biggest compliance challenge and two rose above the rest — 46% percent said it takes too much time and 45% said it is too complex. These responses were not surprising, unfortunately. Time and complexity are the compliance woes that have plagued cybersecurity leaders for years, and have inhibited any sustained efforts to modernize, innovate, and develop a much-need common cybersecurity language.

Thanks to technology improvements, the answer to overcoming those compliance hurdles has arrived in the form of automation. Organizations are now able to automate compliance standards such as the NIST CSF, which leads to dramatic savings in cost and time. By doing so, there can be an added focus on empowering employees to spend their time on more critical tasks, like responding to threats and risks. Similarly, automation frees up resources that can instead be devoted to innovation, research, and training.

Truly forward-leaning organizations with a focus on security that want to alleviate the burdens of complex compliance activities can implement automated processes that can reduce the time and effort needed by half.

Despite the challenges associated with compliance, automation presents an opportunity to streamline the compliance process. It's time that organizations become empowered to better utilize technologies that vastly improve cyber-risk management and allow for the necessary collaboration that will drive the future of cybersecurity. 

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.


Stephen Horvath is Vice President of Strategy and Vision at Telos Corporation, a leading provider of continuous security solutions and services for the world's most security-conscious agencies and organizations. Within this role, he is responsible for leading the development ... View Full Bio
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-04-02
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.
PUBLISHED: 2020-04-01
The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware u...
PUBLISHED: 2020-04-01
The UniFi Video Server (Windows) web interface configuration restore functionality at the “backup� and “wizard� endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC_GROUP ...
PUBLISHED: 2020-04-01
In UniFi Video v3.10.1 (for Windows 7/8/10 x64) there is a Local Privileges Escalation to SYSTEM from arbitrary file deletion and DLL hijack vulnerabilities. The issue was fixed by adjusting the .tsExport folder when the controller is running on Windows and adjusting the SafeDllSearchMode in the win...
PUBLISHED: 2020-04-01
LearnDash Wordpress plugin version below 3.1.6 is vulnerable to Unauthenticated SQL Injection.