One thing that came out of the pandemic years was a stronger push toward an organization-wide digital transformation. Working remotely forced companies to integrate digital technologies, ranging from cloud computing services to AI/ML, across business operations to allow workers to keep up high production and efficiency standards.
Now that businesses and consumers have adjusted to the new normal of digital transformation, it is time to develop a security transformation strategy.
Coping with the speed of change
A constantly evolving tech environment means that security needs and systems are constantly shifting. For an easy example, just look at how quickly cybersecurity must change to adapt to generative AI. In less than a year, organizations and cybersecurity analysts are searching for ways to use generative AI to improve cyber defenses, while threat actors have already discovered ways to launch more sophisticated and harder-to-detect attacks (not to mention targeting the AI tool itself).
Like any transformation, the problem is knowing where to start and what needs to be updated. Luckily, the security transformation has blueprints to follow, starting with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). From there, organizations can use reference points such as recent White House Executive Orders around cybersecurity readiness and state, federal, industry and international data privacy compliance regulations. Cybersecurity insurance requirements provide more useful guidelines.
And like the digital transformation, the security transformation will evolve to fit your organization’s needs. There may be some push to move quickly — you want protections or policies in place for a ransomware attack sooner rather than later, for instance. However, it is better to be methodical to ensure that you are building the right security program for your needs.
The NIST CSF update offers an example for your transformation
The original NIST CSF was released in 2014 and was designed to improve security around critical infrastructure. It was developed from an Executive Order released by the Obama White House in 2013 to provide “a consensus description of what’s needed for a comprehensive cybersecurity program,” according to then-Under Secretary of Commerce for Standards and Technology and NIST Director Patrick D. Gallagher.
However, ten months is a long time in our digital society, let alone ten years. When NIST CSF 1.0 was introduced, it was revolutionary for its era. It also came before cloud computing was part of every business environment, before ransomware was shutting down hospitals and casinos and before APIs became a major attack vector. In fact, smartphones were still in their early years, and BYOD was a fairly new term.
“NIST is updating the Framework to account for the changes in the cybersecurity landscape, including changes in threats, technologies and standards,” Cherilyn Pascoe, lead developer of the framework, told Cybersecurity Dive.
Related: CEO’s guide to generative AI – Cybersecurity
New guidelines bring NIST into the future
CSF 2.0 is a methodical update. In February 2022, NIST put out a request for information, asking for guidance from tech and cybersecurity companies on how to best update CSF, as well as address the growing threat around supply chain risks. NIST then opened up the framework for public comments before the final version of CSF 2.0 goes live.
Despite being designed for those industries that make up the critical infrastructure, such as utilities, gas and oil, CSF 1.0 was used as a guide across industries trying to figure out how to best introduce cybersecurity into their organizations. CSF 2.0 builds on what worked in the original while adding “an expanded scope, the addition of a sixth function, Govern and improved and expanded guidance on implementing the CSF — especially for creating profiles.”
NIST recognized that while CSF 1.0 added value, it was no longer meeting the cybersecurity challenges industries face today. NIST is following a similar framework path to address the security concerns around AI. A White House Executive Order expounds on the value of a zero trust model, and the Department of Defense introduced the Cybersecurity Maturity Model Certification in 2020 to ensure that defense contractors were meeting cybersecurity standards, but the CMMC framework continues to evolve and change.
Why your organization needs a methodical security transformation
There are two important takeaways from these government initiatives. First, the federal government sees the importance of nationwide standards to protect sensitive information critical to business operations and consumer personal security. Second, while nothing ever happens quickly when it involves the government, this methodical system of creating and updating these frameworks shows that security transformation takes a lot of thought, a lot of planning and a lot of time.
Completing your organization should also be done in a methodical, deliberative manner. As security analysts repeat on a loop, there is no one-size-fits-all solution. There are risks that are similar and threat actors do have favored attack vectors and attack types. But, the threats facing your organization are uniquely yours, and it is time to transform your security program to meet your needs.
Where to get started
It begins with a thorough evaluation of what you are protecting, the biggest risk factors to your industry and business operations, the regulatory compliances you are required to follow and the type of threats and attacks you’ve dealt with in the past. Tools that offer full visibility into your infrastructure and that provide identity management solutions are a starting point. Deploying least privilege principles and MFA can be an immediate solution to one of the top security problems today — credential theft.
You may need a managed security service provider to help with your security transformation. The MSSP can provide a range of tools, like data loss prevention (DLP), extended detection and response (EDR) and identity and access management (IAM).
This is a good time to evaluate your security awareness program. There are new approaches to security awareness that gamify learning or treat training films more like entertainment for better retainment.
Where and how you begin your security transformation will depend on your organization’s security maturity. From there, it is both building on your strengths and addressing your weaknesses (and you’ll probably want to go with the latter first). The goal is to meet the threat actors where they are targeting their attacks right now and then anticipate how their attacks are evolving against your industry.
And if you aren’t sure how to shape your security transformation, don’t worry. This is one time when the government has the help you need.