Light Dark
January 24, 2022 By David Bisson 4 min read
Data Protection
Risk Management

What does the latest U.S. federal ruling on cybersecurity mean for you? The recent executive order and U.S. Cybersecurity & Infrastructure Security Agency (CISA) commentary on it could provide a good framework for defending against ransomware and other attacks.

In its executive order on ‘Improving the Nation’s Cybersecurity,’ the White House directed the Secretary of the Department of Homeland Security (DHS) to “develop a standard set of operational procedures (playbook) to be used in planning and conducting a cybersecurity vulnerability and incident response activity respecting Federal Civilian Executive Branch (FCEB) Information Systems.”

Now, the CISA has fulfilled its mandate by publishing the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Those resources provide recommendations for how FCEB agencies can respond to incidents and remediate security incidents involving vulnerabilities.

Unpacking the CISA Playbooks

To better understand these playbooks, I sat down with Gregory Touhill, ISACA board chair and director of the CERT Division of Carnegie Mellon University’s Software Engineering Institute. Touhill was also the U.S. government’s first chief information security officer (CISO), as appointed by former President Barack Obama. Here’s what he had to tell me.

David Bisson: What is the significance of CISA releasing its recent incident and vulnerability response playbooks?

Gregory Touhill: Previously in my career, I worked with organizations to build out cyber incident playbooks for critical infrastructure partners. I recall working with the financial services sector to identify best practices and tactics, techniques and procedures to build out incident response playbooks. But at that time, everyone was doing their own thing across the federal government, and DHS didn’t have the authority to standardize incident response and event management.

It’s a different story with CISA. This organization has the authority to take all the lessons from previous and current administrations to identify best practices in incident response and vulnerability management. The significance here is that CISA can standardize those guidelines as well as make sure every department and agency is following them. This helps to ensure there’s a common framework to have a more effective incident response and attack assessments if and when a bad day happens across the .gov domain. Similarly, it puts CISA in a position where it can take those playbooks and share them with critical infrastructure players.

Let me be clear. Without standardization, the federal government faces the risk of incomplete or ineffective response. There’s no unity of effort. There’s no proper communication of threats in a timely manner. And with that lack of communication, there’s the potential that a great solution set from one part of government doesn’t get communicated to another part. Such a gap can expand the federal government’s risk exposure, as attackers might try to target other agencies and departments. To prevent this from happening, we want to make sure we have common actions so that we can maximize precious resources and put them where they need to be at a time when they’re needed.

DB: What stands out to you from the playbooks?

GT: CISA’s playbooks embody a great and well-anticipated evolution of some of the efforts we’ve been doing for many years. It builds on work that’s already been done. It also builds on authorities that have come before, ensuring that we have a much more disciplined approach to cybersecurity going forward.

These standardized best practices come on the heels of CISA having announced the Joint Cyber Defense Collaborative public-private partnership initiative. When viewed with this initiative, it’s clear that CISA’s playbooks will be cross-fed with critical infrastructure partners along with different sector-specific agencies. They will be a great source of collaborative best practices to enhance cooperation with private industry organizations.

How Is This Relevant to Business?

DB: What part of CISA’s playbooks do organizations tend to struggle with most?

GT: Most of the time, organizations struggle to exercise their incident response and vulnerability management plans. An organization can have the best playbook out there, but if it doesn’t exercise it on a regular basis, well, ‘If you don’t use it, you lose it’. It needs to make sure that its playbooks have the proper scope so that everyone from executives to everyone else within the organization knows what they need to know…

When I say ‘exercise’, it’s important that organizations test their plans under realistic conditions. I’m not saying they need to unplug a device or bring in simulated bad code. They just need to make sure everyone tasked in the playbook knows what’s going on, understands what their roles are and periodically tests the plans. They can take the lessons they’ve learned and refine them. Incident response exercises don’t end with victory. They end with lessons for the future.

Ultimately, documents that sit on a shelf rarely get read. To be high-performing, industry, government and critical infrastructure organizations need to continue to test their technology, processes and people. They also need to understand their priorities and check multiple contingencies in an iterative way. For instance, after having run an exercise with IT, they can choose to run through the same (or similar) plan with operational technology to build their preparedness against attacks targeting their industrial control systems.

What the Playbook Doesn’t Cover

DB: Anything that you wish was included but didn’t make it into the playbooks?

GT: Three things. First, I would have liked to have seen CISA put some requirements in about the frequency of the exercises. CISA could have set a specific number of times that organizations must exercise their plans each year, for example.

Second, I would have liked to have seen some more clarity about the identification of best practices. Someone might figure out a new way for attack warning and assessment. But how does what they come up with get boosted up the chain of command? We need to have a good model for encouraging people to identify best practices as well as a workable model for evaluating those recommendations. We also need to have a mechanism in place so that best practices can be incorporated and quickly disseminated to playbook owners.

Finally, I would have liked to have seen some sort of governance model. Who will be reviewing these playbooks on a regular basis for content improvements? It shouldn’t just be CISA. It can be done through the auspices of bodies like the Federal CISO Council. This will bring more maturity on governance and oversight to the playbooks overall.

DB: Any other thoughts you have on the playbooks?

GT: Organizations need to be proactive. They can’t wait for a bad day to occur.

 |  |  |  |  |  | 
David Bisson
Contributing Editor

More from Data Protection
December 20, 2024

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

December 3, 2024

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

November 19, 2024

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature