Revolutionizing Cyber: Novel Approaches to Propel the Industry Forward

The Push for Improved Cybersecurity: A Step in the Right Direction

The Importance of Federal Guidelines and Requirements

As someone with nearly two decades of experience in the cybersecurity industry, I am pleased to see federal entities placing more focus on the necessary changes to keep organizations secure. The Department of Defense (DoD), Cybersecurity and Infrastructure Security Agency (CISA), and White House have all released updated cyber guidelines and policies, signaling a newfound sense of urgency and importance in cyber defenses, preparedness, and skilled talent.

Furthermore, the proposed new cybersecurity requirements from the US Securities and Exchange Commission (SEC) hint at an impending incident disclosure rule and the necessity for cybersecurity expertise on company boards. While we await the final language of these requirements, it is clear that they represent a step in the right direction for enhancing transparency and communication, highlighting the fact that cybersecurity is a business imperative across all industries. However, there is an important caveat to consider.

Challenges Faced by Organizations

While the added pressure from the SEC and other government agencies on timely reporting and disclosure is a needed force for change, many organizations are ill-equipped to handle this level of oversight and reporting. In fact, fewer than 60% of security leaders currently feel confident in their breach readiness and incident response capabilities. Additionally, over half of security leaders (55%) acknowledge that their cybersecurity teams lack the necessary data to demonstrate readiness in responding to cyber threats.

The Search for Better Approaches

In order to comply with government guidelines, organizations must invest in more effective ways of building and proving their cyber capabilities. This requires a paradigm shift in their approach to cybersecurity, encompassing the following actions:

1. Provide Specific Metrics for Proving Resilience and Capabilities

Despite the fact that proof points and actionable metrics form the foundation of nearly every other business function, measurement is practically nonexistent when it comes to identifying the strengths and weaknesses of organizations’ cybersecurity postures.

For organizations to advance their cyber resilience, cybersecurity teams need better methods to assess and prove their capabilities and resilience. Without metrics to gauge efficacy, it is difficult for leaders to determine whether investments in training are worthwhile. While organizations may have the right risk management tools in place and conduct breach readiness assessments, they often fall short in adequately assessing and training for resilience.

2. Move Away from Technological “Spot Solutions”

In an ever-evolving threat landscape, many security leaders turn to adding more tech tools to their already extensive stacks in an attempt to prove their cybersecurity strength to key stakeholders. However, implementing “spot solutions” is likely to leave vulnerabilities within an organization, making it an easy target for attackers.

While there are tools available to combat almost every security challenge, a plug-and-play approach is not the most effective system. Chief Information Security Officers (CISOs) should consider consolidating their tools to mitigate complexity. Nevertheless, relying solely on a streamlined solution is insufficient. Gartner predicts that by 2023, there will be a greater focus on the human element of cybersecurity, indicating that security tech solutions must be coupled with a battle-tested and capable workforce to effectively respond to cyber threats.

3. Prioritize People in the Approach to Cybersecurity

Adopting a people-centric and proactive approach to cybersecurity places organizations in a better position to combat cyber threats and prove resilience to boards and company leadership. While organizations may be investing in traditional cybersecurity training methods such as certifications, table-top exercises, and classroom work, these tactics alone are largely insufficient in addressing current cyber attacks, especially in light of recent surges in ransomware and generative AI technologies.

It is important for cybersecurity leaders to recognize that 80% of cyber leaders do not believe their teams have the capabilities to respond to future attacks, despite increased training investments. To address ongoing staffing challenges and the talent gap, it is necessary to reassess hiring practices. HR and hiring managers should avoid over-relying and overemphasizing certifications, as this can create a costly barrier to entry for early-career and diverse security talent.

In order to meet the new expectations, CISOs must be armed with strategic metrics and proof points to better align their organizations for defense against the ever-changing threat landscape.

The Path Towards Improved Cyber Readiness and Resilience

While there is still work to be done to enhance our approach to cyber readiness and resilience, it is promising to see cybersecurity and its leaders finally gaining a seat at the head of the table. The fact that multiple federal entities are making a concerted effort to emphasize the need for communication and proof indicates momentum in the right direction.

In conclusion, the increased focus on cybersecurity from government entities, as well as the proposed requirements from the SEC, demonstrate a heightened recognition of the importance of cyber defenses and preparedness. However, organizations must overcome the challenges they face and adopt better approaches to cybersecurity that prioritize specific metrics, move away from technological “spot solutions,” and put people first. By doing so, they can fortify their resilience against cyber threats and effectively address the changing landscape of cybersecurity.