It is a war out there alright, and strong words are in order. Released in August 2023, the Cybersecurity and Infrastructure Security Agency’s (CISA) 2024-2026 cybersecurity roadmap focusing on public-private collaborations and directing organizations to step up their cybersecurity postures in the light of burgeoning threats from scammers, couldn’t have said it better: Cyber incidents have caused too much harm to too many American organizations. Working together, we can change this course.
Addressing several touchpoints in the industry, CISA’s and other federal bodies’ commitment to arresting the spate of malicious cyber attacks on critical infrastructure, supply chains and organizational set ups is driving several of their directives to the cyber industry in recent times.
This article looks at the key takeaways from the three most recent advisories – CISA’s 3-year digital roadmap (1) DHS’s Cybersecurity Performance Goals for critical infrastructure (2) and SEC’s cybersecurity disclosure mandates for organizations (3) – that underscore the administration’s resolve to shoring up the country’s digital terrain and curbing cyber crime.
Not just words
Coming in the wake of POTUS’s Executive Order EO 14028 (5), which was aimed at improving the nation’s cybersecurity fabric and ensuring a secure digital ecosystem, the three directives don’t mince words. And though the tone in the three may vary from voluntary/recommendatory to mandatory, all three offer both a roadmap and specific metrics to measure cyber goals. The fine print speaks for itself. Cyber threats literally have the potential to bring the country to its knees. A concerted effort is needed, a new playbook needs to be pressed into action. The country just cannot afford attacks of the kind experienced in the recent past—the Bowman Avenue Dam hack (critical infrastructure), the JBS Foodchain, Colonial Pipeline and SolarWinds attacks (digital supply chains), the Broward County Schools data exfiltration attack (education), the Scripps Healthcare data breach, the T-Mobile identity theft and the CNA Financial ransomware hack to name just a few.
The takeaways (and the touchpoints)
Let us take a look at some of the key takeaways for organizations from the three advisories:
The need for collaboration
Working together cohesively is a theme that is central to the three advisories. CISA’s 3-year roadmap focuses on public-private partnerships, placing high emphasis on the effectiveness of agency collaborations with the industry. The DHS’ Cyber Performance Goals advisory underscores the importance of collaborations between the industry and government organizations. The SEC’s mandate calls for organizations to collaborate with the commission by making accurate and timely disclosures that will shore up investor confidence and market sentiment.
The collaboration angle is best expressed by CISA, which commits to working together with developers of nascent technologies in order to mitigate threats and ensure secure-by-design products.
The takeaway for organizations would be to adopt the collaboration tenet that ‘together we are stronger’; that employees and teams working cohesively with SOCs, as an organization rather than in silos, would help negotiate the cybersecurity challenge.
One size fits all
It’s an established fact that cybercrime is no longer the bane of large-sized corporations. Scammers are increasingly directing their attacks at small and mid-sized organizations, which are often unprepared to weather these attacks. Once again, all three advisories are unequivocal—cybersecurity is everybody’s concern. The DHS advisory says it best, underscoring the importance of businesses and owners of all sizes in the critical infrastructure space by outlining the ‘highest priority baseline measures’. SEC’s advisory, too, makes no exception, requiring annual reporting of all ‘material’ cyber incidents and transparent disclosure of cybersecurity policies and processes followed by all organizations.
The takeaway for organizations would be to prioritize cybersecurity, step up their security posture, and invest in best-of-class cybersecurity tools and training.
A key takeaway for organizations is the need to move their cybersecurity plans from the drawing board to a state of action, where the efficacy of their actions against predefined goals can be measured and quantified. The DHS mandate defines the cybersecurity performance goals (CPGs)—based on costs, complexity, and impact—that all organizations in the critical infrastructure space must achieve, while the SEC directives specify the precise timelines in which reporting of material incidents must be made. Once again, all organizations are brought under the net, with some allowance being extended to smaller organizations.
What the advisories are saying is clear: don’t just be accountable, rather evaluate, measure, and benchmark your cybersecurity posture.
The top-down approach
The increasing need for boards taking the lead in cybersecurity in organizations, rather than it being the sole responsibility of the SOC or IT, is once again underscored. Organizations are required to describe the board of directors’ oversight of cyber risks, and report on the management’s role and expertise in assessing and managing material risks. Coming a year after it first proposed a new set of rules (and affirmed it a few months later) (4), the SEC follows up on its mandates for board involvement, including the proviso that at least one member of the board should have cybersecurity experience and a degree/certification in the field.
The advisory will come as a shot in the arm for CISOs and cybersecurity teams looking to make their case for more support from management and the C-Suite. CISOs in particular would look to leverage this so their conversations (6) with the board are on point.
Value-based cybersecurity investment
Though it is intended to promote the collaboration between organizations and the administration—in so much as cybersecurity investments by organizations serve the interests of both the business of organizations and the security of the nation—the new DHS advisory and CPGs provide a key takeaway for all organizations. Replete with a set of instructions for organizations that will help prioritize their cybersecurity investments, the advisory serves up a reminder for organizations to look at their cybersecurity investments as not just a remedy for today’s threats, but more importantly as ‘an investment in a resilient future’ for themselves, the industry, and the nation.
The Administration has your back
Though it has always been the case, the advisories once again reiterate the support of the administration for organizations in their cybersecurity journey. They align with the National Cybersecurity Strategy of March 2023 which promises that the government will use all tools of national power at its disposal in a coordinated manner to protect national security, public safety, and economic prosperity. We highlight just three pointers:
- In addition to committing to working with developers to ensure secure software applications based on emerging technologies, CISA commits to ensuring government entities ‘leverage technically sound and effective practices developed together with their partners across the private sector’, while regularly updating criteria for secure-by-design products and ensuring cooperation from manufacturers
- DHS assures organizations that it will leverage its ‘months of data collection and analyses’ and feedback received, in addition to bringing together the right stakeholders to further develop cybersecurity standards, guidelines and practices
- SEC’s reporting requirements that ensure organizations have the administration’s backing when they comply by disclosing cyber incidents and processes; disclosures that ultimately bolster investor confidence, market sentiment, and the economy as a whole
For organizations contemplating, beginning, or stepping up their cybersecurity journey, the underlying message in all this is amply clear: you are not alone!
Addressing a wide variety of stakeholders, from contractors and agencies in the public and private sectors to suppliers, organizations, investors and markets, the cybersecurity advisories with their carefully-developed specifics collectively offer more than just a roadmap on cybersecurity matters.
Their objectivity and comprehensiveness is spelled out in the vision (5) of the overarching March 2023 White house cybersecurity press release on the National Cybersecurity Strategy, namely to make the country’s digital ecosystem defensible, resilient, and values-aligned.
Under attack from threat actors in the cybersecurity war that is currently being played out, organizations, both big and small, public and private—are more than just an integral part of this ecosystem.