November 7, 2023 By Sue Poremba 4 min read

One thing that came out of the pandemic years was a stronger push toward an organization-wide digital transformation. Working remotely forced companies to integrate digital technologies, ranging from cloud computing services to AI/ML, across business operations to allow workers to keep up high production and efficiency standards.

Now that businesses and consumers have adjusted to the new normal of digital transformation, it is time to develop a security transformation strategy.

Coping with the speed of change

A constantly evolving tech environment means that security needs and systems are constantly shifting. For an easy example, just look at how quickly cybersecurity must change to adapt to generative AI. In less than a year, organizations and cybersecurity analysts are searching for ways to use generative AI to improve cyber defenses, while threat actors have already discovered ways to launch more sophisticated and harder-to-detect attacks (not to mention targeting the AI tool itself).

Like any transformation, the problem is knowing where to start and what needs to be updated. Luckily, the security transformation has blueprints to follow, starting with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). From there, organizations can use reference points such as recent White House Executive Orders around cybersecurity readiness and state, federal, industry and international data privacy compliance regulations. Cybersecurity insurance requirements provide more useful guidelines.

And like the digital transformation, the security transformation will evolve to fit your organization’s needs. There may be some push to move quickly — you want protections or policies in place for a ransomware attack sooner rather than later, for instance. However, it is better to be methodical to ensure that you are building the right security program for your needs.

The NIST CSF update offers an example for your transformation

The original NIST CSF was released in 2014 and was designed to improve security around critical infrastructure. It was developed from an Executive Order released by the Obama White House in 2013 to provide “a consensus description of what’s needed for a comprehensive cybersecurity program,” according to then-Under Secretary of Commerce for Standards and Technology and NIST Director Patrick D. Gallagher.

However, ten months is a long time in our digital society, let alone ten years. When NIST CSF 1.0 was introduced, it was revolutionary for its era. It also came before cloud computing was part of every business environment, before ransomware was shutting down hospitals and casinos and before APIs became a major attack vector. In fact, smartphones were still in their early years, and BYOD was a fairly new term.

“NIST is updating the Framework to account for the changes in the cybersecurity landscape, including changes in threats, technologies and standards,” Cherilyn Pascoe, lead developer of the framework, told Cybersecurity Dive.

Related: CEO’s guide to generative AI – Cybersecurity

New guidelines bring NIST into the future

CSF 2.0 is a methodical update. In February 2022, NIST put out a request for information, asking for guidance from tech and cybersecurity companies on how to best update CSF, as well as address the growing threat around supply chain risks. NIST then opened up the framework for public comments before the final version of CSF 2.0 goes live.

Despite being designed for those industries that make up the critical infrastructure, such as utilities, gas and oil, CSF 1.0 was used as a guide across industries trying to figure out how to best introduce cybersecurity into their organizations. CSF 2.0 builds on what worked in the original while adding “an expanded scope, the addition of a sixth function, Govern and improved and expanded guidance on implementing the CSF — especially for creating profiles.”

NIST recognized that while CSF 1.0 added value, it was no longer meeting the cybersecurity challenges industries face today. NIST is following a similar framework path to address the security concerns around AI. A White House Executive Order expounds on the value of a zero trust model, and the Department of Defense introduced the Cybersecurity Maturity Model Certification in 2020 to ensure that defense contractors were meeting cybersecurity standards, but the CMMC framework continues to evolve and change.

Why your organization needs a methodical security transformation

There are two important takeaways from these government initiatives. First, the federal government sees the importance of nationwide standards to protect sensitive information critical to business operations and consumer personal security. Second, while nothing ever happens quickly when it involves the government, this methodical system of creating and updating these frameworks shows that security transformation takes a lot of thought, a lot of planning and a lot of time.

Completing your organization should also be done in a methodical, deliberative manner. As security analysts repeat on a loop, there is no one-size-fits-all solution. There are risks that are similar and threat actors do have favored attack vectors and attack types. But, the threats facing your organization are uniquely yours, and it is time to transform your security program to meet your needs.

Where to get started

It begins with a thorough evaluation of what you are protecting, the biggest risk factors to your industry and business operations, the regulatory compliances you are required to follow and the type of threats and attacks you’ve dealt with in the past. Tools that offer full visibility into your infrastructure and that provide identity management solutions are a starting point. Deploying least privilege principles and MFA can be an immediate solution to one of the top security problems today — credential theft.

You may need a managed security service provider to help with your security transformation. The MSSP can provide a range of tools, like data loss prevention (DLP), extended detection and response (EDR) and identity and access management (IAM).

This is a good time to evaluate your security awareness program. There are new approaches to security awareness that gamify learning or treat training films more like entertainment for better retainment.

Where and how you begin your security transformation will depend on your organization’s security maturity. From there, it is both building on your strengths and addressing your weaknesses (and you’ll probably want to go with the latter first). The goal is to meet the threat actors where they are targeting their attacks right now and then anticipate how their attacks are evolving against your industry.

And if you aren’t sure how to shape your security transformation, don’t worry. This is one time when the government has the help you need.

More from Government

Cyber experts applaud the new White House cybersecurity plan

4 min read - First, there was a strategy. Now, there’s a plan. The Biden Administration recently released its plan for implementing the highly anticipated national cybersecurity strategy published in March. The new National Cybersecurity Strategy Implementation Plan (NCSIP) lays out specific deadlines and responsibilities for the White House’s vision for cybersecurity. The plan is being managed by the White House’s Office of the National Cyber Director (ONCD). Cybersecurity experts have applauded the Administration’s plan as well as the new implementation calendar. For example,…

How the FBI Fights Back Against Worldwide Cyberattacks

5 min read - In the worldwide battle against malicious cyberattacks, there is no organization more central to the fight than the Federal Bureau of Investigation (FBI). And recent years have proven that the bureau still has some surprises up its sleeve. In early May, the U.S. Department of Justice announced the conclusion of a U.S. government operation called MEDUSA. The operation disrupted a global peer-to-peer network of computers compromised by malware called Snake. Attributed to a unit of the Russian government Security Service,…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…

Why keep Cybercom and the NSA’s dual-hat arrangement?

4 min read - The dual-hat arrangement, where one person leads both the National Security Agency (NSA) and U.S. Cyber Command (Cybercom), has been in place since Cybercom’s creation in 2010. What was once touted as temporary 13 years ago now seems established. Will the dual-hat arrangement continue? Should it? Experts have discussed the pros and cons of both viewpoints for years. It remains in place for now, but is that likely to change in the future? That remains to be seen, and points…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today