The recent announcement of another IRS cyber breach raises this question: are agencies embracing and applying government cybersecurity standards?
The government, our government will be permanently late for your cybersecurity… As taxpayers, you and I are going to want our government to defend us up here [in the cyber domain] the way we have become accustomed to relying on the government for defending us down here. But there’s the general sclerosis of government, and the technology is going to move much faster than any government can move.“Gen. Michael Hayden Gives an Update on the Cyberwar”
Putting the right threat protection technology in place is an absolute necessity, but a strong case can be made for focusing on the organization first and then on the technology measures.
While cybersecurity measures are deterministic, cyber risk is probabilistic. It has no single point of origin (internal or external to the firm), but instead emerges from the interaction of people, processes, and technologies. The extent to which managers can control the security of those interactions determines how well they can reduce cyber risk.“Threat Intelligence, Meet Defense Intelligence”
Breaches are almost always traced to a human failing rather than faulty technology or a bad implementation. Finding the cause of a breach (e.g. Target allowing an HVAC vendor access to a payment system that touched other systems) identifies steps that could have been taken. Agencies should be measuring and monitoring progress toward cyber maturity, and benchmarking against government-created standards like NIST and C2M2.
The NIST Cybersecurity Framework has won universal acclaim. Governmental and private organizations concerned about risk routinely recommend or demand following its guidelines. It has become the “gold standard” for cyber risk mitigation. Organizations can measure the maturity of cybersecurity across NIST’s dimensions that we’ve given simple names. Broadening management attention beyond Risk Management (cybersecurity technology and processes) encourages Risk Culture (inclusion of non-technical organizations like HR and Procurement) and grows Risk Influence (stronger management of external dependencies on vendors and partners).
The second framework is C2M2 (“Cybersecurity Capability Maturity Model”), created by the Department of Energy about the same time as the NIST standard. C2M2 identifies 300+ control points to monitor within an organization. A control point is not a physical entity but indicates a procedural execution or a policy implementation. Neither NIST nor C2M2 is prescriptive about the types of hardware and software solutions to implement. Instead, they identify specific actions that a company can take to improve its readiness for an attack.
Regular, ongoing assessment using both standards would enable non-technical agency leaders to gain clarity about the status of cybersecurity initiatives and guidance to suggest next steps. These standards are risk-focused approaches to business process and policy – activity that is both familiar and accessible to a broad spectrum of stakeholders in your organization. This is more than a technology problem – it needs attention from non-technical people.