This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here
Numerous factors propel us to rethink our approach to cybersecurity as this blog series maintains. Many of these thoughts revolve around the changing nature of the attackers themselves with their greater size sophistication. Other thoughts turn to the attack methods as new vulnerabilities are discovered and exploited or the nature of the threat itself as we move from assessing risk to entities to a great focus on systemic risks.
However, it is just as important for us to be thinking not just about what and who we are dealing with as it is HOW we are dealing with the situation.
It has often been said that you cannot manage what you cannot measure. As the White House moves to set up its new Office of the National Cyber Director (congratulations to Chris Inglis), now may be a good time to think through not only how we assess our cyber risk but how we assess – and I mean our principal government partners – are managing cyber risk.
Although there has been a good deal of talk about the need to develop better cyber metric (an issue ISA strongly believes in) there has heretofore been precious little evaluation of the public facing cybersecurity efforts by government, including the effectiveness of current regulatory regimes.
Here, incoming Director Inglis might consider taking a page from the private sector and infusing the new Office of the Cyber Director with a philosophy of agile management. It is, of course, arguable that the entire federal government should have long ago hopped on the agile management train, but let’s not go crazy here. Certainly, if there is a space where agile management techniques are most appropriate it is in the Office charged with strategizing and coordinating an increasingly dynamic and diverse issue as cybersecurity.
In a recent report, McKinsey found that “Agile organizations are designed to be fast, resilient, and adaptable. These are exactly the qualities needed to meet the operational challenges unleashed by the crisis we face in cyber…”
In their 2018 study, McKinsey found that successful agile entities “regularly evaluate the progress of initiatives and decide whether to ramp them up or shut them down.” These entities also adapt initiatives to new challenges.”
A follow-up study this year showed that the use of agile management techniques was especially helpful in fast-moving crisis situations like COVID-19. One would expect that these techniques would also fit well in the fast-moving crisis which is our current state of cybersecurity.
|In a recent follow-up study, Mckinsey broke down how organizations can create this stable yet dynamic model and showed that 2018 advice holds true in crisis and empowers networks of teams to decide quickly and learn from mistakes, igniting passion with a dynamic personnel model.
|Specifically in responding to the COVID-19 crisis, many companies had to increase the speed of their decision making while improving productivity, using tech and data in new ways. These shifts have worked as organizations in a wide range of sectors and geographies accomplished difficult tasks and achieved positive results in record time by working faster and managing better.
|This research has shown that companies with agile practices already embedded in their operating models managed the impact of the COVID-19 crisis better than their peers. McKinsey analyzed 25 companies across seven sectors that have undergone or are currently undergoing an agile transformation. Almost all their agile business units responded better than their nonagile units to the shocks associated with the pandemic by measures of customer satisfaction, employee engagement, and operational performance.
One of the hallmarks of agile management theory is the speedy evaluation of new programs with quick recognition of what is working and what isn’t and promptly modifying what isn’t working and expanding what is. This leads to greater efficiency and effectiveness. This readily evaluative aspect of agile organizations can help enhance the efficiency and cost-effectiveness of cyber programs and is a fundamental element of good cyber risk management.
Unfortunately, it has generally been absent from government-industry partnership programs.
As an example of a government-industry partnership product that has lacked proper evaluation is the NIST Cybersecurity Framework. (CSF) launched in 2013 and systematically evaluated – never. The NIST CSF is one of the most heavily promoted government programs for cybersecurity. Yet nearly a decade into existence, it has never been assessed to determine if it works, what aspects of it work, or if it is cost effective.
The lack of systemic evaluation is especially problematic for the smaller companies in our nation’s critical infrastructure. Whereas larger companies have, and for the most part were already, using the practices outlined in the NIST CSF from before it was launched (NIST CSF is largely a compilation of already existing standards and practices regularly followed by sophisticated cyber organizations) but the real target – smaller companies especially those involved in critical infrastructure – have largely ignored the NIST CSF.
The joint industry-Department of Homeland Security Collective Defense White Paper produced in 2018 noted that many small and mid-sized businesses (SMBs) are still unaware of the Framework. Among other SMBs that do attempt to use the NIST Framework, many find that it could be more user-friendly and may not have the expertise to implement it. In 2020, ESI ThoughtLab found that the relationship between companies who do use the NIST CSF and effectiveness in actual security is weak, and that CISOs generally acknowledge that following NIST is not enough to provide security against advanced threats.
A recent study by USTelecom found that only 13 percent of SMBs involved in critical infrastructure use any government guidance in their cybersecurity practices. As someone who has worked quite a bit with corporate boards on the issue of cybersecurity, that finding is not surprising. Modern organizations make funding decisions based on what the data – especially the cost effectiveness data tells them. Absent any such data on NIST, it will largely be ignored.
While these findings may be underwhelming, they should not be considered as too harsh a judgement on the NIST CSF. It is possible, even likely, that the NIST CSF can enhance security given specific uses of the expansive list of options and the specific needs of various companies and industries. What is required to take a tool like the NIST CSF and maximize its security utility is research that documents what variations of the framework (and there are many possibilities) show cost effectiveness for specific user populations. Based on a survey of the cybersecurity approaches of over 1,000 companies in 2021, ESI ThoughtLab concluded that “rather than applying NIST as a box-ticking exercise, cybersecurity leaders need to better align such frameworks with their business goals, strategies, and individual risk profiles.”
Private organizations, particularly smaller ones who are the most in need of cybersecurity advice, are most influenced in spending decisions by data. Research that documents the use of specific elements of the CSF to security outcomes would be a strong lever for increasing the voluntary use of the NIST CSF and raising the cybersecurity preparedness of these organizations.
This is just one example of how management techniques, long in favor in the private sector, can be – and ought to be – adopted by government at least for partnership programs and certainly in an area like cybersecurity which, if anything, demands agility.
Join the Rethink Cybersecurity Community click here