Security fragmentation is a massive problem in security, especially for compliance and risk management professionals and teams. There's unfortunately no standard language that both IT and security, compliance, and audit pros can use to speak about cyber threats, vulnerabilities, processes and initiatives.
Imagine this: Your cyber compliance team speaks only Spanish, your audit team speaks only German, your Risk team speaks only Mandarin and your IT team speaks only english... AS COOL AS THAT WOULD BE and AS MUCH AS YOU'D PROBABLY LEARN... you don't have a translator, or a way to directly communicate in a way everyone understands. Learning all those languages would be hard to do all at once, if not impossible - and your productivity would likely decrease until you figured out a way to communicate fluently between your teams.
This is what happens in cybersecurity today with security fragmentation, and an abundance of standards that don't use the same language. It's a recurring issue in many (if not all) industries. The threat of cyberattacks and data breaches is only getting stronger and broader, and governments, industry groups, and multinational organizations have turned to creating frameworks and standards in hopes that their industries could standardize on a language for cyber security.
With security technology, vendors always try to make things easier, but the more tech we have, the more complicated it seems. Startups try to build rules engines to score compliance and risk, or a system of policy temples and procedures, or compliance reporting software, or tracking and workflow, yet no solution does all of this seamlessly, simply, and with agility. We're in a world filled with point solutions, no matter how you look at it.
The Need for a Common Language for Cybersecurity
In a world with so much complexity and discontinuity, we can't only be preoccupied with the large organizations that fall victim to data breaches and cyberattacks. These organizations suffer breaches even though they have enormous amounts of capital to spend on technologies to protect them, and the resources to spend ample time and effort on security. We also have to think about the small, resource constrained organizations that are falling victim to cybercrime because they don't have the resources to spend ample time and money on new technologies and point solutions.
It's not that there hasn't been improvement by the governments, industry groups and others who create guidelines to run the security of your business by... PCI DSS for cardholder data, New York DFS for Financial Services in New York, HIPPA for healthcare, DFARS NIST SP 800-171 for department of defense and their supply chain, GDPR for everyone and anyone it seems... but most of these regs also don't speak to each other in a way that makes it easy to manage a hybrid of frameworks in your company. Download the CyberSaint guide to streamlining any compliance assessment
However, threats continue to fester even as our tech becomes more intelligent, and for those who can't even comply to the guidelines of more shallow frameworks like ISO/IEC 27001, gold-standard frameworks like the NIST Cybersecurity Framework are out of reach. In order to overcome the growing issue of security fragmentation, there must be a single cohesive language for organizations to communicate that spans across your compliance and risk management needs and scope.
Communication Improves the Strength of Your Organization
We as businesses leaders need to decide how we are going to improve the strength of our organizations and industries. Most CISOs, CROs and CIOs have their own security standards, and sometimes no standards at all - they follow a hybrid framework. Most large organizations need to follow multiple frameworks or create a hybrid. But with this customization, and with different industries choosing different standards, there's no way for us to communicate with each other when one industry is speaking about cyber in a different language than another. Even more, within an organization, employees can fail to communicate how they structure their programs and initiatives with each other.
Cybercriminals will undoubtably find the vulnerabilities created by a lack of understanding and communication, and an inability for security stakeholders to translate the importance of certain cyber standards to non-security stakeholders and departments. When one technology fills the gaps on policies and procedures, another fills the gap on reporting and another on scoring compliance, how are we able to communicate seamlessly?
Communicating Between All Business Functions to Protect Them
Part of running a proactive cybersecurity program is realizing that cyber isn't just a security problem - it's a business problem. Security efforts exist to better support and protect all business functions, sensitive data, and livelihoods of employees and customers. Without the effort and understanding of all business areas, a security team's efforts to standardize cybersecurity tends to be less effective and much less efficient than it would be otherwise.
NIST Cybersecurity Framework: The Translator Between All Departments, Stakeholders, Organizations, and Industries
Former President Obama recognized the problem of security fragmentation in 2013 and gave an executive order that attempted to standardize best cybersecurity practices. This led to the creation of the Cybersecurity Framework (CSF), the most thorough Framework created to date that provides a common language for cyber across industries. The National Institute of Standards and Technology (NIST) lead the creation of the Framework and involved over 3,000 industry professionals to make the Framework as applicable to real business situations as possible. Subsequently, President Trump took the initiative a step further and made the framework a required part of federal agency policy. Download the NIST Cybersecurity Framework Guide
The Framework isn't just for government use, and it can be adapted to businesses of any size. The NIST CSF is designed to enhance the security and resilience of the nation’s critical infrastructure, and as best practice for all businesses. The voluntary risk-based framework integrates a set of industry standards and best practices to help organizations manage cybersecurity risks. As of 2015, 30% of U.S. organizations were using the NIST CSF, and use is predicted to rise to 50% or more by 2020. With more industries, organizations, departments and stakeholders speaking the same language around cybersecurity, we will have more opportunities to explore solutions to threats and improve upon the solutions that we have already discovered.
The Framework is known for its flexibility. Companies can adjust the focus of the Framework to better serve their business needs. The NIST CSF empowers any organization to significantly reduce cybersecurity risks, better detect and respond to security breaches, and quickly recover from incidents. Businesses should begin to think about when and how to implement CSF into their business if they haven't already.
The NIST website has many resources that can help your cyber team begin the
implementation process. However, the Framework is over 900 controls long and can take months and even years in some cases to implement.
No More Point Solutions: Reporting, Tracking, Workflow, Optimization, Policies and Procedures
The Cyberstrong Platform cuts through the chaos of implementing cybersecurity best practices, because implementing and following these requirements should be an effort all businesses and organizations should take on. CyberStrong gives your team visibility into all five NIST CSF functions in hours, and can help create an automated roadmap to success for adoption with efficient workflow and operationalization. The CyberStrong PowerControls give a streamlined approach to adopting the framework regardless of company size, and include intelligent threat intel mapped against your current security standards in real-time. Risk assessments are coupled with each control for a visual, agile, and robust approach to assessing and adopting the most comprehensive Framework to-date.