From November 7th-9th, NIST hosted their annual Cybersecurity Risk Management conference in Baltimore. At the conference, NIST assembled some of the greatest minds in cybersecurity spanning multiple industries and company sizes to discuss the current risk landscape and how the NIST frameworks (CSF, RMF, etc.) can help mitigate and manage those risks.
The CyberSaint team saw three main subjects tackled by the keynotes and breakout discussions: how organizations of all sizes are adopting the NIST CSF and the challenges that arise, the increase in risks associated with the supply chain, and working to define and standardize the security protocol around medical devices and internet of things (IoT) technologies.
Adoption of the NIST CSF and RMF
Why checkbox compliance fails organizations
Michael Darling, Director of Information Security at Venable LLP spoke directly to the issues with check-the-box compliance: “I can do all the controls in 800-53 and say ‘yeah I’ve got that’, but I don’t know which ones [controls] are the most important”. The importance of prioritization, especially relative to the desired outcomes, is critical to the success of an efficient and effective compliance program
As is the case with a checkbox approach to security and compliance, many CISO’s and their organizations are approaching the issue in a binary fashion: either we have it or we don’t. However, as we’ve discussed on the CyberSaint blog, organizations focused on compliance are not recognizing the unique risks and threats to their own organization on a continual basis. Darling said compliance frameworks needed to add in “measurement” and “prioritization” to facilitate an outcomes-based approach (two elements the CyberStrong platform inherently enables security teams to do for this reason).
As security becomes a board-level issue, an outcomes-based approach is increasingly necessary. CISO’s must be able to connect their security programs to business outcomes as a means to facilitating stable and secure growth of the enterprise. Donald Heckman, Principal Director and CIO at US Dept of Defense said, “there’s compliance, but then there’s continuous remediation” and that all organizations need to think through a risk-based lens to continuously improve as opposed to ‘check the box’. “It’s not a one and done, it’s a continuous process.”
Adoption roadblocks: scalability
For many enterprise-level organizations, adopting the NIST CSF whole-hog would mean a complete overhaul to the existing security strategy and program. Of course, this is not possible for a Fortune 50, or even Fortune 500, company. That doesn’t mean that the NIST CSF can’t add value to these organizations. In fact, it’s these large organizations that can glean the most value from the gold-standard framework. William Westwater, Program Manager for Information Security Governance, at Boeing said, on scaling the NIST CSF for large enterprise, "You're gonna have to buy your scalability- outsource (humans) and consultants."
With security becoming a top-of-mind problem CEO’s are looking to solve, CISO’s need to be able to provide actionable steps to further mitigate risks to their organization. The NIST CSF can provide those steps, but CISO’s must be able to prioritize the steps necessary to provide a concrete plan of action to supplement an existing cyber program with the Framework.
Adoption roadblocks: risk quantification
Going hand-in-hand with the scalability problems that many enterprises face when looking to adopt the NIST CSF, risk quantification and a data-based approach of where to start is a problem organizations of all sizes face. This is an area that Gartner sees as an area that will define AI backed integrated risk management (IRM) solutions. The CyberStrong platform already offers AI backed risk quantification and prioritizes remediation steps based on impact.
Vendor (supply chain) risk
As enterprises become a digital ecosystem or internal stakeholders and third-party vendors, the risk of those vendors grows exponentially. With 75% organizations seeing their vendor list grow by 20% this year, supply chain risk management is a top priority for CISO’s. The overall theme that emerged as a means to mitigate this risk was a strong cybersecurity strategy that was based on risk, not checkbox compliance. In the opening keynote, Leo Simonovich, Siemens Vice President and Global Head of Industrial and Digital Cyber, said "security has to be more than a seatbelt or an airbag in the digital world." This is especially true in managing supply chain risk. As organizations continue to outsource more and more, reactionary thinking is no longer an option.
Securing medical devices and the internet of things (IoT)
The balance between user experience and security
During its development, security in the internet of things was largely an afterthought. However, as we’ve seen with recent attacks, this cannot stay that way. For organizations embracing IoT, it is a form of risk they are not familiar with: a smart light bulb is suddenly an endpoint that needs to be secured. Speaking on an IoT security panel, CyberSaint CEO George Wrenn discussed that user experience has been a great hindrance to IoT security.
As a cutting-edge technology that alters user behavior, product managers recognized that a hard to use product would slow adoption. Why outfit your house with smart light bulbs if you had to create secure passwords for each light bulb? You’d simply buy ‘dumb’ lightbulbs and forget the hassle. However, as Wrenn said, the dichotomy of a secure product and one that’s easy to use has created the problem that security professionals face today: not only are black-hat actors able to harness the power of these insecure IoT products, manufacturers are only now implementing security standards into their products. Calling it the “right to patching”, Wrenn spoke about a consumer and businesses right to have these security holes repaired, even in legacy devices.
Where are the standards?
During the IoT panel, the panelists were asked what they saw in the future of IoT security standards and certifications. IoT security threats pose the greatest risk to enterprise organizations as they have the greatest reliance on this technology. On the other hand, it is difficult to identify specific threats to the consumer side of IoT. CyberSaint CEO Wrenn spoke to this in saying “We’re starting to see more of a call for regulations in industrial IoT and enterprise IoT but it’s going to be a while until the consumer market gets to that level of certification and that kind of standard.”
Furthermore, Wrenn also spoke to when the industry will start to see IoT security certifications as one would with other security verticals: “My crystal ball tells me that the NIST [IoT] standard, when it becomes available, will very likely be the thing that the UL’s, the TUV’s of the world will take from and create an actual certification for this.” Basing his projection on the way organizations have adopted the NIST CSF, George sees the NIST IoT framework as the foundation for many organizations’ (manufacturers and users) IoT security programs.
What we can expect to see in the coming year is the continued increase in security awareness in non-technical stakeholders. CISO’s must be prepared to increase the transparency within their organization and view their security program through a risk-based lens. Checkboxes won’t cut it anymore.
We saw that the NIST CSF continues to be the gold-standard for organizations, no matter the size. The challenges that enterprises face can be reduced by augmenting team’s ability with the use of AI backed tools like the CyberStrong platform. Learn how by scheduling a demo here.
Lastly, we saw that IoT continues to be the wild-west for security standards and that end users (both enterprise and consumers) need to approach these technologies with caution and aware of the risks inherent to them. While we will start to see standards emerge, enterprises especially need to air on the side of caution and adopt them proactively.