Earlier this year, the National Institute of Standards and Technology added “Govern” as the sixth pillar in its updated Cybersecurity Framework, which is expected to be published in early 2024.
The first five pillars of the Cybersecurity Framework were implemented to improve infrastructure. The first framework, published in 2014, stated that the pillars, ‘Identify, Protect, Detect, Respond and Recover,’ were put in place to “provide organization and structure to cybersecurity by assembling standards, guidelines, and practices that are working effectively in the industry today.” Together, they created the foundation for the last ten years in the critical infrastructure industry. In August, it was time to update the framework to reflect what the cybersecurity landscape looks like today.
Along with introducing the govern pillar, the new framework expands past critical infrastructure and reflects a structure for all organizations, no matter size, industry or region. This comes with a bigger responsibility for leaders, which is why governance is essential within the framework. The new pillar emphasizes the importance of leadership and comprehensive guidelines for companies as the cybersecurity landscape grows. When applied effectively, governance can enhance their overall security posture and is an essential part of helping companies show proof that their security infrastructure aligns with their policies at any given time. It allows security teams to have a way of measuring how effectively their system is operating.
The timing couldn’t be better: as we quickly approach the end of 2023, it’s a good time for security teams to take stock of the policies and procedures they have in place in order to ensure that they enter the new year with a strong security posture, making govern a welcome addition to the framework.
That said, there are obstacles organizations may face when adopting governance. Enterprises must learn how to adapt this new pillar to work for them and help battle the complex nature of cybersecurity and the evolving threat landscape.
Let’s examine five of the challenges that organizations may face while adapting governance principles into their overall security practice and what they can do to make the process easier.
— Implementation Complexity: Organizations need to understand how to apply governance principles to their specific environments, especially if their network consists of diverse technologies, systems and processes. It is critical to have a solution, such as a network defense platform that can be deployed quickly and give your team access to actionable data and insights into what is happening and where it is happening in one central place.
This approach can also alleviate the problem of configuration drift that is often found in complex environments and can lead to unexpected and difficult-to-detect security risks constantly emerging in those environments. Leaders should look for a solution that can help identify system misconfigurations and alert teams before those gaps lead to attacks.
— Resource Constraints: It’s true that many enterprises - especially smaller organizations - lack the people, technology, budget or expertise to continuously monitor all activity on their network, which can make establishing and maintaining a robust cybersecurity governance program an extra challenge.
In fact, recent research from Enterprise Strategy Group indicates that 71% of responding organizations claim to be impacted from a cybersecurity skills shortage, which is an increase of 14% from 2021. In today’s dispersed networks, security leaders need to look for a solution that monitors compliance with governance policies and can respond to unexpected changes across all environments. Accessible visibility across the entire network, without a heavy lift or additional resources is pertinent for the success of security teams in today’s world.
— Rapidly Evolving Network Security Architectures: Zero Trust can easily be described as a “Faustian bargain” – you need it, but what do you have to give up to get it? Teams need real-time awareness of the composition and activities of the participants in their networked environments – which include users, applications, data, and devices – and the combination of Zero Trust and migration to the cloud have largely rendered traditional methods involving packet inspection ineffective.
An NDP and similar cloud native technologies can provide context about the participants and monitor activities of the actors in these environments to provide teams with actionable intelligence to inform and validate policy decisions.
— Social Media Governance: From data privacy and security concerns, to overall account and device security, to reputation and crisis management issues, social media is truly a Pandora’s box of its own challenges for organizations, let alone a challenge to regulatory compliance and integration into its overall governance efforts.
The risks they pose have led many federal governments to ban TikTok from government issued devices. In the U.S., the White House has banned TikTok from government devices and more than half of the 50 U.S. states have followed suit. Leaders must decide what, if any, access to social media platforms should be allowed. Visibility into the activity for each application by device is a key ingredient to effective enforcement.
·— Measurement and Reporting: Measuring the effectiveness of cybersecurity governance can be challenging. Governance and risk compliance teams should look to approaches that allow them to utilize dashboards for streamlined audits and proof of enforcement for reporting to auditors, regulators, or Board committees.
Adding governance to the NIST CSF is a key step in helping organizations show proof that their infrastructure aligns with their policies at any given time and it allows security teams to measure how effectively their system is operating.
As this calendar year comes to an end, teams should take this as an opportunity to implement comprehensive and actionable guidelines that are backed by tools that will ensure they are prepared to face whatever new threats the new year has in store.
Martin Roesch is CEO of Netography, an Annapolis, Maryland-based company that provides real-time breach detection and prevention products and services that are designed to secure business and mobile networks, emails, applications and data.