COMMENT
Cybersecurity leaders are constantly looking for tools and strategies to navigate the complex digital threat landscape. But despite being consistently held accountable for safeguarding digital assets, Chief Information Security Officers (CISOs) have long grappled with a glaring gap in their management arsenal: They don’t have the oversight of all their operations that would allow them to seize the big picture while being able to quickly zoom in on what’s key.
The first version of the National Institute of Standards and Technology’s Cybersecurity Framework was developed in 2014 in response to a presidential executive order (EO 13636, Improve the cybersecurity of critical infrastructures) aimed at helping organizations managing critical infrastructures mitigate cybersecurity risks. The order directed NIST to work with industry and government stakeholders to create a voluntary framework based on existing standards, guidelines and practices. THE Cybersecurity Framework 2.0 expands its existing five basic functions (Identify, To protect, Detect, AnswerAND Recover) and describes the new feature included, To govern.
An integral part of the CISO
The introduction of the governance function represents a key industry recognition that effective management is an integral part of the CISO’s role. In practical terms, the governance function fills a critical gap in the CISO toolkit, enabling a more comprehensive approach to management. Previously, CISOs faced difficulty addressing key questions and concerns crossing their desks, leading to gaps in their ability to manage effectively. They had no way to answer how well they were implementing policies, whether they were making progress, or whether their latest investment had a significant impact on overall performance.
For example, what is the level of preparedness against a specific threat? Today, scrutiny of policy enforcement and control status is too often driven by word that a threat is trending. This is a reactive approach that will likely bear fruit too late. A more proactive approach means that security leaders have continuous visibility into the performance of a variety of controls and programs and can easily get guidance as soon as a policy is violated. Today, the process of collecting this data from various product owners is so frustrating that most CISOs simply give up and live without it. But rest assured that the moment a threat knocks on their door, they will urgently seek this data. Even if it’s too late.
The process of sourcing new products is yet another example of where effective management has been limited. For example, once a CISO purchases a new code security tool, there is no easy way to confirm enrollment unless they ask the team to take the time to submit a report. Performance is a composite of various measurements: Does the tool scan correctly? Does it cover all relevant environments? Is the mean time to resolution (MTTR) sufficient? Are most events handled automatically or manually? Does the team face unresolved challenges?
Consider that code protection is just one tool, among a wide range of features, only in the world of vulnerabilities. Multiply that by dozens of tools and questions across multiple programs. An inadequate management process costs an organization dozens of months and hours of work. It is not easily repeatable or scalable.
Empower executives with transparency and visibility
This lack of visibility into operational aspects means that CISOs are essentially managing in the dark, making informed decision making and strategic planning difficult. They are left with many tools, many isolated data narratives, and all the pieces to put together to tell a larger narrative.
The Governance feature in NIST CSF 2.0 directly addresses these shortcomings, providing a framework for effective management. For Govern to empower CISOs in their management roles, it should incorporate several key attributes.
First, transparency must become paramount, allowing CISOs to gain insight into the state of control implementation and evaluate the level of protection provided by their security measures as an overall history and trend, not tool by tool. For example, the CISO office sets a new policy that a user without multi-factor authentication (MFA) who continually fails phishing training will be blocked from company emails. To verify whether the policy is being enforced, the CISO would need continuous trend data points from two different tools, and these points would need to be correlated on an ongoing basis.
Second, this level of wisdom must be driven by an automated, non-spreadsheet-based measurement system. This system would transcend the different languages and measurements associated with different tools and programs, ensuring a holistic approach without getting lost in technical jargon.
Third, you need a simple way to translate the messy security situation into terms that boards can understand. This addresses the growing need for CISOs to justify ongoing investments when faced with budget constraints.
Finally, continuous, real-time performance monitoring is essential, enabling continuous insight into policy enforcement trends and ensuring that CISOs are not just reactive but proactive in managing and improving their cybersecurity measures. Spreadsheets are static moments in time and not operational. CISOs need to take a big step towards simplified and automated management, just like Monday.com did for project managers.
In essence, the governance function is a recognition that effective management is not just an expectation but a necessity for CISOs. With CSF 2.0, CISOs gain the sixth sense to govern, manage and measure their cybersecurity operations with a new kind of knowledge and intuition and, more effectively, ushering in a new era of proactive and informed leadership.