The need for continuous monitoring, effective metrics and skilled workers.
The laudable aim of the National Institute of Standards and Technology (NIST) is to build a common language through a set of best practices and security principles that any organization can apply to combat cybercrime. We’ve looked at what NIST’s Cybersecurity Framework can do for you. We’ve also drilled a little deeper to reveal the importance of solid analysis in assessing your risk and requirements to ensure that you built it right first time.
A solid foundation is a great start, but you also need to implement continuous monitoring and find a way to measure how successful your efforts have been. Because security is a race, rather than a destination, it’s vital to keep identifying gaps, making improvements, and validating your activities. To do that, you’ll need the right attitude and the right talent.
Change is constant
Cybercriminals and would-be hackers are constantly developing new techniques and uncovering fresh vulnerabilities, so defenses must be monitored and updated continually. While the Cybersecurity Framework offered up is a great starting point, with lots of useful advice, it’s not easy to assess how effective it has been within organizations.
That’s the main reason why, at the beginning of the year, the NIST Cybersecurity Framework, Assessment and Auditing Act of 2017 was passed into law. It’s an attempt to ensure that progress is measured, but establishing metrics to measure the effectiveness of security policies is a tricky business. Different organizations have different priorities.
The framework provides a skeleton that you can flesh out with your own organization’s requirements, and the metrics you adopt to measure the efficacy of your efforts are no different. If you don’t take the time to build a solid set of metrics, then you really don’t know if your efforts are paying off.
Later this year, there will also be a major revision to the document, which is available in draft form right now. Collaborators have been working to integrate privacy and cyber controls and align them with NIST’s cybersecurity framework recommendations. You can currently review and comment on this document, ahead of a final draft at the end of the year.
A very large skills gap
One of the biggest challenges facing any organization that’s trying to put NIST’s cybersecurity framework into practice is the lack of workers with the right skillset. Take a look at the interactive map at Cyberseek.org for an overview of the problem. There were 112,000 InfoSec analyst job openings last year in the United States, but only 96,870 workers to go around.
Another 200,000 openings requested cybersecurity-related skills. Cloud security skills were apparently the hardest to find, with jobs remaining open an average of 96 days. This worrying shortfall has prompted the creation of the National Initiative for Cybersecurity Education (NICE). Just as the cybersecurity framework creates a common language for discussing security issues and best practices, NICE aims to help you assess workforce skills and identify certification and training requirements.
Many organizations struggle to find people who possess the right knowledge, skills and abilities, and worse, they often can’t fully articulate precisely what they need. This is one of the reasons that a virtual CISO can be a real boon for an organization trying to get its cybersecurity polices on track and recruit an effective team.
Security for all
Because the cybersecurity space is developing so quickly, it’s understandable that some of the risks caught some organizations unawares. But ignorance can no longer be used as an excuse. Data breaches and other cybersecurity incidents can often now result in regulatory fines and serious reputational damage.
While there seems to be a general acceptance about the level of threat, we are still not seeing the positive action required to nullify it. Verizon’s 2017 Data Breach Investigations Report found that 88% of breaches still fall into one of the nine patterns it identified back in 2014. The difficulty organizations are having is in validating implementation and building resilience.
The fact that NIST is working hard with the wider community to pool resources and knowledge is very encouraging. The importance of this endeavor comes into sharp relief when you consider the bi-partisan cooperation in a generally combative political climate. The government and wider cybersecurity community are committed to effecting real change and tightening our collective defenses, but we all need to pitch in.