Introduction by ISA President Larry Clinton
Although Albert Einstein probably never said “The definition of insanity is doing the same thing over and over again and expecting a different result,” it’s still a pretty incisive comment that unfortunately applies to cybersecurity regulation. Our current cybersecurity process is insane.
The fact is that the traditional cybersecurity regulatory system has never been shown to actually improve our security and ironically actually hinders our security effort by wasting vast amounts of scarce cybersecurity resources. In his classic work How to Measure Anything in Cybersecurity, Douglass Hubbard did an extensive literature review on the methodology that the cybersecurity regulatory system is based on and concluded there is no independent verification generate enhanced security.
The current regulatory process is predominantly a check list – often a very long checklist – of items usually not prioritized or relating directly to the business it is supposedly being used to manage. Twenty years ago when these lists of practices were all we had this was probably acceptable. However, as we will discuss in future posts we now have far better processes we can use and these modern models need to replace the antiquated check-lists.
The cyber regulatory model is based on methods used to manage traditional business operations such as financial compliance. That is a pass-fail model – you are either compliant or not. It s a backward looking model – did you file the form, and was it accurate and it was designed to check corporate malfeasance.
The problem is that cybersecurity is not a backward looking check the box process and the core problem is not malfeasant organizations. Cybersecurity is not pass-fail – security is a continuum not a destination. Our cyber process needs to be a forward-looking risk management process. Moreover, the problem is not malfeasant organizations. The problem is that well financed attackers, often nation states, are using sophisticated methods that only the largest companies – at best — can hope to defend against – a point recently conceded in President Biden’s new national cybersecurity strategy.
Moreover, despite several Executive Orders calling for government regulations to be cost effective neither the regulatory systems generally used in the cybersecurity field, nor the frameworks they are based on have ever been subjected to cost benefit analysis that could demonstrate their utility from a security (as opposed to compliance) perspective.
The goal of our regulatory process should not be compliance. It needs to be security which is a very different thing, Compliance, is generally a minimal accepted practice, where there is little incentive for entities to go beyond the compliance standard, even if more is required to provide actual security effectiveness.
In today’s compliance world, you can be compliant and not operationally effective. For example, every security compliance standard says an organization needs to have antivirus on the endpoint. However, there is no differentiation in the operational effectiveness of that solution. An organization can deploy the cheapest, simplest rule-based antivirus solution and get the “check” for having met the requirement. However, those that deploy a more sophisticated (and expensive) anti-malware, behavior-based” solution get no additional credit.
For nearly a decade the US government has touted the use of the NIST Cybersecurity Framework (NIST CSF) as the answer to most cybersecurity problems and made it the core of most government cyber regulatory structures. “It’s easy; just follow NIST,” is the implicit, sometimes explicit, message. However, the government has resolutely refused calls to test the NIST CSF for effectiveness and cost-effectiveness, as called for in Presidential Executive Order 13636, which gave rise to the development of the NIST CSF.
Meanwhile, independent studies have found little basis for government claims regarding NIST CSF effectiveness. ESI ThoughtLab’s 2020 study found that a minority (42 percent) of companies found to be leaders in terms of NIST CSF compliance were also leaders in terms of cybersecurity effectiveness. “ESI’s statistical finding confirms what many CISO’s know: Firms need to go beyond NIST and other frameworks to secure their enterprises from escalating cyber-attacks.”
To its credit the new national cybersecurity strategy calls for metrics and cost benefit analysis. These new metrics need to begin with cost benefit analysis of the existing regulatory regime and unless the traditional regulations can be shown to meet that test (and I’m not betting they will be –any takers?) then the traditional regulatory process needs to be fundamentally reformed.
We will cover how in future posts.