The past two weeks has seen these three events:
- the National Institute of Standards and Technology (NIST) announced the draft version of a cyber risk self-assessment tool;
- new Vendor Security Alliance announced they are building a questionnaire to evaluate the cyber risk introduced by vendors; and
- the New York State Department of Financial Services proposed regulations “to ensure the safety and soundness of New York State’s financial services industry” by protecting them from
What is motivating this spate of initiatives?
“Over the past year or two, someone has been probing the defences of the companies that run critical pieces of the Internet… precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down.”
Security expert Bruce Schneier, quoted in TechWeekEurope
Bruce Schneier’s recent statement is chilling. In the early days, hackers seeking glory and/or money were the culprits behind cyber breaches. Continual penetration of companies and agencies by nation-states in recent years threatens to endanger our economy and our national security. Now the possibility of intentional internet outages is increasing the pressure to take broader action.
If we hope to mitigate risk on a national level, we have to develop better ways to estimate the risk of breaches and gauge their likely outcomes. To do so requires developing a closed loop system based on capturing and inputting the best available data. Consider this simple feedback loop as a way to develop cyber maturity:
- assess the internal environment (e.g., defenses, processes, policies, technologies), and anonymize the captured data while retaining key demographic information (e.g., SIC code, size, geography);
- aggregate and combine data about external incidents with the internally captured data to create predictive analytics that reveal the probability of a breach; and
- guide organizations with a custom list of prioritized actions that will mitigate the risk of a breach.
While creating predictive analytics for cyber risk seems to be straightforward, current offerings focus only on external threats and incidents and don’t include internal assessments. Disregarding the effect of internal measures greatly limits the precision of the analytics, and it constrains the capability to guide by suggesting risk-limiting actions. [If creating predictive cyber analytics is analogous to creating a credit score, knowledge of internal measures is like seeing detailed financial statements, while knowledge of external threats and incidents is limited to observing transaction activity. (See “To FICO or Not to FICO” for more on this.)
What stands in the way of closing the feedback loop?
- Getting internal information is difficult. Companies are not anxious to expose internal actions, especially in a sensitive area like cybersecurity. Overcoming that obstacle requires offering something valuable in exchange (e.g., empowering the board and C suite to oversee cyber maturity development).
- While NIST CSF is the most widely recognized standard, until recently we have had no systematic way of measuring an organization against it and other recognized standards in order to capture data on thousands of organizations’ internal practices.
- Organizations have attacked the problem in piecemeal fashion by applying the latest technology and buying more cyber insurance, rather than deliberately working toward developing cyber maturity.
Passing the Sarbanes Oxley Act of 2002 greatly increased the attention paid by board members and the C suite to financial governance and oversight. We now face its cyber analog: how to decrease cyber risk by encouraging and empowering board members to pay similar attention to cybergovernance.
The proposed legislation announced by Governor Cuomo of New York is a good move toward that end. “The regulation requires banks, insurance companies, and other financial services institutions regulated by the State Department of Financial Services to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.”
While the regulations aren’t groundbreaking and they only apply to one industry, they are innovative in that they represent the first cybergovernance mandate in the nation. They specifically require affected organizations to name a Chief Information Security Officer (CISO) whose primary focus is developing the cyber maturity of the organization, including meeting the other prescriptive requirements of the regulations (adequate staffing, third-party evaluations, multi-factor authentication, etc.).
New York has taken the first step. Regulation on a national scale seems more likely now than ever. Protecting our economy and our national security demands it.