<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

NIST Standards: Risk Management Conference

down-arrow

 

The CyberSaint team saw three main subjects tackled by the keynotes and breakout discussions: how organizations of all sizes are adopting the NIST CSF and the challenges that arise, the increase in risks associated with the supply chain, and working to define and standardize the security protocol around medical devices and internet of things (IoT) technologies.

Adoption of the NIST CSF and RMF

Why checkbox compliance fails organizations

Michael Darling, Director of Information Security at Venable LLP spoke directly to the issues with check-the-box compliance: “I can do all the controls in 800-53 and say ‘yeah I’ve got that’, but I don’t know which ones [controls] are the most important”. The importance of prioritization, especially relative to the desired outcomes, is critical to the success of an efficient and effective compliance program

As is the case with a checkbox approach to security and compliance, many CISO’s and their organizations are approaching the issue in a binary fashion: either we have it or we don’t. However, as we’ve discussed on the CyberSaint blog, organizations focused on compliance are not recognizing the unique risks and threats to their own organization on a continual basis. Darling said compliance frameworks needed to add in “measurement” and “prioritization” to facilitate an outcomes-based approach (two elements the CyberStrong platform inherently enables security teams to do for this reason).

As security becomes a board-level issue, an outcomes-based approach is increasingly necessary. CISO’s must be able to connect their security programs to business outcomes as a means to facilitating stable and secure growth of the enterprise. Donald Heckman, Principal Director and CIO at US Dept of Defense said, “there’s compliance, but then there’s continuous remediation” and that all organizations need to think through a risk-based lens to continuously improve as opposed to ‘check the box’. “It’s not a one and done, it’s a continuous process.”

Adoption roadblocks: scalability

For many enterprise-level organizations, adopting the NIST CSF whole-hog would mean a complete overhaul to the existing security strategy and program. Of course, this is not possible for a Fortune 50, or even Fortune 500, company. That doesn’t mean that the NIST CSF can’t add value to these organizations. In fact, it’s these large organizations that can glean the most value from the gold-standard framework. William Westwater, Program Manager for Information Security Governance, at Boeing said, on scaling the NIST CSF for large enterprise, "You're gonna have to buy your scalability- outsource (humans) and consultants."

With security becoming a top-of-mind problem CEO’s are looking to solve, CISO’s need to be able to provide actionable steps to further mitigate risks to their organization. The NIST CSF can provide those steps, but CISO’s must be able to prioritize the steps necessary to provide a concrete plan of action to supplement an existing cyber program with the Framework.

Adoption roadblocks: risk quantification

Going hand-in-hand with the scalability problems that many enterprises face when looking to adopt the NIST CSF, risk quantification and a data-based approach of where to start is a problem organizations of all sizes face. This is an area that Gartner sees as an area that will define AI backed integrated risk management (IRM) solutions. The CyberStrong platform already offers AI backed risk quantification and prioritizes remediation steps based on impact.

Vendor (supply chain) risk

As enterprises become a digital ecosystem or internal stakeholders and third-party vendors, the risk of those vendors grows exponentially. With 75% organizations seeing their vendor list grow by 20% this year, supply chain risk management is a top priority for CISO’s. The overall theme that emerged as a means to mitigate this risk was a strong cybersecurity strategy that was based on risk, not checkbox compliance. In the opening keynote, Leo Simonovich, Siemens Vice President and Global Head of Industrial and Digital Cyber, said "security has to be more than a seatbelt or an airbag in the digital world." This is especially true in managing supply chain risk. As organizations continue to outsource more and more, reactionary thinking is no longer an option.

Securing medical devices and the internet of things (IoT)

The balance between user experience and security

During its development, security in the internet of things was largely an afterthought. However, as we’ve seen with recent attacks, this cannot stay that way. For organizations embracing IoT, it is a form of risk they are not familiar with: a smart light bulb is suddenly an endpoint that needs to be secured. Speaking on an IoT security panel, CyberSaint CEO George Wrenn discussed that user experience has been a great hindrance to IoT security.

As a cutting-edge technology that alters user behavior, product managers recognized that a hard-to-use product would slow adoption. Why outfit your house with smart light bulbs if you had to create secure passwords for each light bulb? You’d simply buy ‘dumb’ lightbulbs and forget the hassle. However, as Wrenn said, the dichotomy of a secure product and one that’s easy to use has created the problem that security professionals face today: not only are black-hat actors able to harness the power of these insecure IoT products, manufacturers are only now implementing security standards into their products. Calling it the “right to patching”, Wrenn spoke about a consumer and businesses right to have these security holes repaired, even in legacy devices.

Where are the standards?

NIST CRM 5

During the IoT panel, the panelists were asked what they saw in the future of IoT security standards and certifications. IoT security threats pose the greatest risk to enterprise organizations as they have the greatest reliance on this technology. On the other hand, it is difficult to identify specific threats to the consumer side of IoT. CyberSaint CEO Wrenn spoke to this in saying “We’re starting to see more of a call for regulations in industrial IoT and enterprise IoT but it’s going to be a while until the consumer market gets to that level of certification and that kind of standard.”

Furthermore, Wrenn also spoke to when the industry will start to see IoT security certifications as one would with other security verticals: “My crystal ball tells me that the NIST [IoT] standard, when it becomes available, will very likely be the thing that the UL’s, the TUV’s of the world will take from and create an actual certification for this.” Basing his projection on the way organizations have adopted the NIST CSF, George sees the NIST IoT framework as the foundation for many organizations’ (manufacturers and users) IoT security programs.

Conclusions

What we can expect to see in the coming year is the continued increase in security awareness in non-technical stakeholders. CISO’s must be prepared to increase the transparency within their organization and view their security program through a risk-based lens. Checkboxes won’t cut it anymore. 

We saw that the NIST CSF continues to be the gold-standard for organizations, no matter the size. The challenges that enterprises face can be reduced by augmenting team’s ability with the use of AI backed tools like the CyberStrong platform. Learn how by scheduling a demo here.

Lastly, we saw that IoT continues to be the wild-west for security standards and that end users (both enterprise and consumers) need to approach these technologies with caution and aware of the risks inherent to them. While we will start to see standards emerge, enterprises especially need to air on the side of caution and adopt them proactively. 

You may also like

Informing Cyber Risk Management ...
on May 18, 2023

Cybersecurity is no longer just an IT issue but a business risk that can impact an organization's reputation, financial health, and legal compliance. Cybersecurity risks are ...

Is Your Organization Prepared for ...
on May 3, 2023

Data storage, as well as maintenance tools and applications, have undergone many iterations in the past decade, with the introduction of cloud computing and Security Information ...

Strategies for Automating a Cyber ...
on May 8, 2023

Cybersecurity leaders and teams are overburdened by several growing trends and issues. And when your cybersecurity team is overworked and unequipped to manage cyber risk ...

Selecting the Right Cyber Risk ...
on April 13, 2023

Cyber risk quantification is the process of determining the likelihood and potential impact of a cyber attack or security breach. The probability and impact will vary based on ...

Leveraging Cyber Security ...
on May 26, 2023

A common misunderstanding with cyber risk management is that only the CISO and security practitioners should be concerned about cyber and information security. Instead, the state ...

Tips and Tricks to Transform Your ...
on April 12, 2023

Simply being “cyber aware” is an unviable option for board members as the impact of cybersecurity expands beyond IT systems. An unnoticed security gap or dated risk assessment are ...