November 7, 2023 By Sue Poremba 4 min read

One thing that came out of the pandemic years was a stronger push toward an organization-wide digital transformation. Working remotely forced companies to integrate digital technologies, ranging from cloud computing services to AI/ML, across business operations to allow workers to keep up high production and efficiency standards.

Now that businesses and consumers have adjusted to the new normal of digital transformation, it is time to develop a security transformation strategy.

Coping with the speed of change

A constantly evolving tech environment means that security needs and systems are constantly shifting. For an easy example, just look at how quickly cybersecurity must change to adapt to generative AI. In less than a year, organizations and cybersecurity analysts are searching for ways to use generative AI to improve cyber defenses, while threat actors have already discovered ways to launch more sophisticated and harder-to-detect attacks (not to mention targeting the AI tool itself).

Like any transformation, the problem is knowing where to start and what needs to be updated. Luckily, the security transformation has blueprints to follow, starting with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). From there, organizations can use reference points such as recent White House Executive Orders around cybersecurity readiness and state, federal, industry and international data privacy compliance regulations. Cybersecurity insurance requirements provide more useful guidelines.

And like the digital transformation, the security transformation will evolve to fit your organization’s needs. There may be some push to move quickly — you want protections or policies in place for a ransomware attack sooner rather than later, for instance. However, it is better to be methodical to ensure that you are building the right security program for your needs.

The NIST CSF update offers an example for your transformation

The original NIST CSF was released in 2014 and was designed to improve security around critical infrastructure. It was developed from an Executive Order released by the Obama White House in 2013 to provide “a consensus description of what’s needed for a comprehensive cybersecurity program,” according to then-Under Secretary of Commerce for Standards and Technology and NIST Director Patrick D. Gallagher.

However, ten months is a long time in our digital society, let alone ten years. When NIST CSF 1.0 was introduced, it was revolutionary for its era. It also came before cloud computing was part of every business environment, before ransomware was shutting down hospitals and casinos and before APIs became a major attack vector. In fact, smartphones were still in their early years, and BYOD was a fairly new term.

“NIST is updating the Framework to account for the changes in the cybersecurity landscape, including changes in threats, technologies and standards,” Cherilyn Pascoe, lead developer of the framework, told Cybersecurity Dive.

Related: CEO’s guide to generative AI – Cybersecurity

New guidelines bring NIST into the future

CSF 2.0 is a methodical update. In February 2022, NIST put out a request for information, asking for guidance from tech and cybersecurity companies on how to best update CSF, as well as address the growing threat around supply chain risks. NIST then opened up the framework for public comments before the final version of CSF 2.0 goes live.

Despite being designed for those industries that make up the critical infrastructure, such as utilities, gas and oil, CSF 1.0 was used as a guide across industries trying to figure out how to best introduce cybersecurity into their organizations. CSF 2.0 builds on what worked in the original while adding “an expanded scope, the addition of a sixth function, Govern and improved and expanded guidance on implementing the CSF — especially for creating profiles.”

NIST recognized that while CSF 1.0 added value, it was no longer meeting the cybersecurity challenges industries face today. NIST is following a similar framework path to address the security concerns around AI. A White House Executive Order expounds on the value of a zero trust model, and the Department of Defense introduced the Cybersecurity Maturity Model Certification in 2020 to ensure that defense contractors were meeting cybersecurity standards, but the CMMC framework continues to evolve and change.

Why your organization needs a methodical security transformation

There are two important takeaways from these government initiatives. First, the federal government sees the importance of nationwide standards to protect sensitive information critical to business operations and consumer personal security. Second, while nothing ever happens quickly when it involves the government, this methodical system of creating and updating these frameworks shows that security transformation takes a lot of thought, a lot of planning and a lot of time.

Completing your organization should also be done in a methodical, deliberative manner. As security analysts repeat on a loop, there is no one-size-fits-all solution. There are risks that are similar and threat actors do have favored attack vectors and attack types. But, the threats facing your organization are uniquely yours, and it is time to transform your security program to meet your needs.

Where to get started

It begins with a thorough evaluation of what you are protecting, the biggest risk factors to your industry and business operations, the regulatory compliances you are required to follow and the type of threats and attacks you’ve dealt with in the past. Tools that offer full visibility into your infrastructure and that provide identity management solutions are a starting point. Deploying least privilege principles and MFA can be an immediate solution to one of the top security problems today — credential theft.

You may need a managed security service provider to help with your security transformation. The MSSP can provide a range of tools, like data loss prevention (DLP), extended detection and response (EDR) and identity and access management (IAM).

This is a good time to evaluate your security awareness program. There are new approaches to security awareness that gamify learning or treat training films more like entertainment for better retainment.

Where and how you begin your security transformation will depend on your organization’s security maturity. From there, it is both building on your strengths and addressing your weaknesses (and you’ll probably want to go with the latter first). The goal is to meet the threat actors where they are targeting their attacks right now and then anticipate how their attacks are evolving against your industry.

And if you aren’t sure how to shape your security transformation, don’t worry. This is one time when the government has the help you need.

More from Government

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today